0xGAME 2024

MISC

base2048

一明一暗

报告哈基米

长宽一样

zsteg看隐写

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from PIL import Image


def arnold(infile: str, outfile: str = None, a: int = 1, b: int = 1, shuffle_times: int = 1,
           reverse: bool = False) -> None:
    """
    Arnold猫脸变换函数

    Parameters:
        infile - 输入图像路径
        outfile - 输出图像路径
        a - Anrold 变换参数
        b - Anrold 变换参数
        shuffle_times - 置乱次数
        reverse - 逆变换
    """
    inimg = Image.open(infile)
    width, height = inimg.size
    indata = inimg.load()
    outimg = Image.new(inimg.mode, inimg.size)
    outdata = outimg.load()

    for _ in range(shuffle_times):
        for x in range(width):
            for y in range(height):
                if reverse:
                    nx = ((a * b + 1) * x - a * y) % width
                    ny = (y - b * x) % height
                else:
                    nx = (x + a * y) % width
                    ny = (b * x + (a * b + 1) * y) % height
                outdata[ny, nx] = indata[y, x]

    outimg.save(outfile if outfile else "arnold_" + infile, inimg.format)


#arnold("before.png", "encode.png", 9, 39, 1)
arnold("1.png", "decode.png", 7, 35, 1, True)

0xGame{hajimi_i5_

看到末尾有个zip的反转数据,找一下末尾,然后导出逆向一下

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
# 打开并读取原始文件内容
with open(r'D:\wangzhanxiazai\exppy\1.txt', 'rb') as f:
    a = f.read()

# 去掉原始数据中的换行符、空格等不可见字符
a = a.replace(b'\n', b'').replace(b'\r', b'').replace(b' ', b'')

# 将内容逆序
a = a[::-1]

# 将逆序内容写入新的文件
with open(r'D:\wangzhanxiazai\exppy\new.txt', 'wb') as new:
    new.write(a)

# 读取逆序后的文件内容
with open(r'D:\wangzhanxiazai\exppy\new.txt', 'rb') as f:
    b = f.read()

# 将内容转换为可变的字节数组
blist = bytearray(b)

# 按两个字节为一组进行交换
for i in range(0, len(blist) - 1, 2):
    blist[i], blist[i + 1] = blist[i + 1], blist[i]

# 打开目标文件以写入最终内容
with open(r'D:\wangzhanxiazai\exppy\flag.txt', 'wb') as flag:
    # 将所有处理后的字节内容连续写入文件
    flag.write(blist)

# 打印最终处理的内容(以逆序显示)
print(blist)
def format_hex_data_from_file(input_file, output_file):
    # 读取文件内容
    with open(input_file, 'r') as file:
        hex_data = file.read().strip()

    # 将字符串分成每两个字符一组
    grouped_data = [hex_data[i:i + 2] for i in range(0, len(hex_data), 2)]

    # 以16组为一行,每组之间用空格隔开
    formatted_data = '\n'.join([' '.join(grouped_data[i:i + 16]) for i in range(0, len(grouped_data), 16)])

    # 将格式化后的数据写入输出文件
    with open(output_file, 'w') as file:
        file.write(formatted_data)


# 输入和输出文件路径
input_file = r'D:\wangzhanxiazai\exppy\flag.txt'
output_file = r'D:\wangzhanxiazai\exppy\newflag.txt'

# 格式化并写入输出文件
format_hex_data_from_file(input_file, output_file)

保存为zip文件

也有相关的在线网站可以解

tupperexp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
import numpy as np
import matplotlib.pyplot as plt
from PIL import Image


def Tupper_self_referential_formula(k):
    aa = np.zeros((17, 106))

    def f(x, y):
        y += k
        a1 = 2 ** -(-17 * x - y % 17)
        a2 = (y // 17) // a1
        return 1 if a2 % 2 > 0.5 else 0

    for y in range(17):
        for x in range(106):
            aa[y, x] = f(x, y)
    return aa[:, ::-1]


k = 9489414856877039590479997730148554425666925984049232945604842888420596111937489062065081199094002132087091572191187170308560128611026043144427876131133135794969867759108490917632153891963456295991713868378392769549376070709924497237322046334486274987407067993824142187115870972520417207510521083293280152434558803258138899515603807505064799735152359900010019631133734298562293682916239050320580346316026460860919542540955914826806059123630945216006606268974979135253968165822806241305783300650874506602000048154282039485531804337171305656252


aa = Tupper_self_referential_formula(k)
plt.figure(figsize=(15, 10))
plt.imshow(aa, origin='lower')
plt.savefig("tupper.png")
img = Image.open('tupper.png')
# 翻转
dst1 = img.transpose(Image.FLIP_LEFT_RIGHT).rotate(180)
plt.imshow(dst1)
plt.show()

倒序一下数据再生成照片

倒过来看一下

Cute_r1ght?}

诗人握持

Web

Re

BabyBase

BinaryMaster

xor

看汇编把数据打印下来

1
2
3
4
a=[0x7e,0x35,0x0b,0x2a,0x27,0x2c,0x33,0x1f,0x76,0x37,0x1b,0x72,0x31,0x1e,0x36,0x0c,0x4c,0x44,0x63,0x72,0x57,0x49,0x8,0x45,0x42,0x1,0x5a,0x4,0x13,0x4c]
for i in range(30):
    a[i]^=78-i
    print(chr(a[i]),end='')

Xor-Endian

后往前读,最高位只有一位时补齐0 

1
2
3
4
5
6
7
8
9
10
11
12
key = "Key0xGame2024"
a = [0x7b, 0x1d, 0x3e, 0x51, 0x15, 0x22, 0x1a, 0x0f, 0x56, 0x0a, 0x51, 0x56, 0x00,
     0x28, 0x5d, 0x54, 0x07, 0x4b, 0x74, 0x05, 0x40, 0x51, 0x54, 0x08, 0x54,
     0x19, 0x72, 0x56, 0x1d, 0x04, 0x55, 0x76, 0x56, 0x0b, 0x54, 0x57, 0x07,
     0x0b, 0x55, 0x73, 0x01, 0x4f, 0x08, 0x05]


for i in range(len(a)):

    a[i] = a[i] ^ ord(key[i % len(key)])  
    #if 32 <= a[i] <= 126:  
    print(chr(a[i]),end='')

upx

  • 这里的逻辑对每个字节执行如下操作:
    • *v2 = (16 * *v2) | (*v2 >> 4);
      • 这个表达式将字节左移 4 位,然后将高 4 位通过右移操作保留并通过 | 操作拼接到低 4 位。
      • 换句话说,左移使低 4 位变为 0,高 4 位占据低 4 位,然后用原先的高 4 位来填充新生成的高 4 位。
  • 该操作对字符串的每个字节都重复,直到遇到 0(字符串结束符或空字节)。

为了逆向该过程,我们需要恢复原始的字节。给定编码后的字节值,我们可以通过以下操作恢复原始值:

  • 将编码后的字节右移 4 位,以获取原始字节的高 4 位。
  • 将编码后的字节进行掩码操作(与 0x0F)保留低 4 位,恢复原始字节的低 4 位。
1
2
3
4
5
6
7
8
9
10
a=[
    3, 135, 116,  22, 214,  86, 183,  99, 131,  70, 
  102, 102,  67,  83, 131, 210,  35, 147,  86,  83, 
  210,  67,  54,  54,   3, 210,  22, 147,  54,  38, 
  210, 147, 115,  19, 102,  86,  54,  51,  51, 131, 
   86,  35, 102, 215
]
for i in range(44):
    a[i]=(a[i]>>4 | (a[i]&0x0f)<<4)
    print(chr(a[i]),end='')

Ezjar

求逆元

5x =1mod 16

16 =5*3+1

5=5*1

1=16-5*3

-3 mod 16=13

1
2
3
4
5
6
7
8
9
10
11
key='0123456789abcdef'
a='ab50e920-4a97-70d1-b646-cdac5c873376'
inverse=13
chang=len(key)
for i in range(len(a)):
    if(a[i] not in key):
        print(a[i],end='')
    else:
        suoyin=key.index(a[i])
        yuan=key[((suoyin-3+chang)%chang*inverse)%chang]
        print(yuan,end='')

Ezpyc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
# uncompyle6 version 3.9.1
# Python bytecode version base 3.8.0 (3413)
# Decompiled from: Python 3.10.9 | packaged by Anaconda, Inc. | (main, Mar  1 2023, 18:18:15) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: D:\PortPython3.8.9\App\Python\0xgame\EzPyc.py
# Compiled at: 2024-09-10 22:18:53
# Size of source mod 2**32: 519 bytes
import hashlib
user_input = input("请输入神秘代号:")
if user_input != "Ciallo~":
    print("代号不是这个哦")
    exit()
input_hash = hashlib.md5(user_input.encode()).hexdigest()
print(input_hash)
input_hash = list(input_hash)

for i in range(len(input_hash)):
    if ord(input_hash[i]) in range(48, 58):
        original_num = int(input_hash[i])
        new_num = (original_num + 5) % 10
        input_hash[i] = str(new_num)
input_hash = "".join(input_hash)
print("0xGame{{{}}}".format(input_hash))

# okay decompiling 1.pyc

Xor::Ramdom

动态看v21的值 v21是0x7b

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import random
a=[0x0c,0x4f,0x10,0x1f,0x4e, 0x16,0x21,0x12,0x4b,0x24, 0x10,0x4b,0x0a,0x24,0x1f,0x17,0x09,0x4f,0x07,0x08,0x21,0x5c,0x2c,0x1a,0x10,0x1f,0x11,0x16,0x59,0x5a]
v23=0
v21=0
v4=0
v5=0
random.seed(0x1919810)
v21=0x7b
for i in range(len(a)):
    if(i & 1 !=0):
        v8=v21
    else:
        v8=v21+3
    a[i]^=v8
for i in range(len(a)):
    print(chr(a[i]%256),end='')

ZZZ

注意开头38*这个数据不是0x,要转化成16进制

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
from Crypto.Util.number import long_to_bytes
from libnum import n2s
from z3 import *
v10 = BitVec('v10', 32)
v11 = BitVec('v11', 32)
v12 = BitVec('v12', 32)

res=[]
solver = Solver()
solver.add(11 * v11 + 14 * v10 - v12 == 0x48FB41DDD)
solver.add(9 * v10 - 3 * v11 + 4 * v12 == 0x2BA692AD7)
solver.add((((v12 - v11)) >> 1) + (v10 ^ 0x87654321) == 3451779756)
if solver.check()==sat:
    model=solver.model()
    res.append(n2s(model[v10].as_long()))
    res.append(n2s(model[v11].as_long()))
    res.append(n2s(model[v12].as_long()))
print(res)

#0xGame{e544267d-7812-44b3-a35d-d085a85201a4}

注意最后的结果要倒序过来

ASM

1
2
3
4
5
6
7
8
9
10
11
12
13
14
a=[20, 92, 43, 69, 81, 73, 95, 23, 72, 22,24,
   69, 25, 27, 22, 17, 23, 29, 24, 73
    ,17, 24, 85, 27, 112, 76, 15, 92, 24, 1
    ,73, 84, 13, 81, 12, 0, 84, 73, 82, 8
    ,82, 81, 76, 125]
for i in range(44):
    if i <=21:
        a[i]+=28
    if i>21 and i<43:
        a[i]^=a[i-22]
for i in range(43):
    print(chr(a[i]),end='')
b='0xGame{3d24a572-394e-4ec7-b9c2-f9097fda1f4a}'
print(len(b))

TEA

littlepuzzle

看到数组

提示密码是48位,所以最后输入的是解出来的数字

pypro(python-version3.12)

看到他是3.8以上的pyc,所以用pycdc来反编译

这边不管使用uncompyle6还是pycdc都无法完全编译,使用pycdas查看字节码

看到加密的有base64,AES,运算模式是ECB,填充类型是PKCS5

上饶ctf 逆向 pvm.exe_pycdc.exe 反编译不了全部代码-CSDN博客

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
File Name: PyPro.py
    Object Name: <module>
    Qualified Name: <module>
    Arg Count: 0
    Pos Only Arg Count: 0
    KW Only Arg Count: 0
    Stack Size: 2
    Flags: 0x00000000
    [Names]
        'base64'
        'Crypto.Cipher'
        'AES'
        'Crypto.Util.number'
        'long_to_bytes'
        'key'
        'PKCS5_pad'
        'main'
        '__name__'
    [Locals+Names]
    [Constants]
        0
        None
        (
            'AES'
        )
        (
            'long_to_bytes'
        )
        0x554B134A029DE539438BD18604BF114
        [Code]
            File Name: PyPro.py
            Object Name: PKCS5_pad
            Qualified Name: PKCS5_pad
            Arg Count: 1
            Pos Only Arg Count: 0
            KW Only Arg Count: 0
            Stack Size: 5
            Flags: 0x00000003 (CO_OPTIMIZED | CO_NEWLOCALS)
            [Names]
                'len'
                'ljust'
                'to_bytes'
            [Locals+Names]
                'data'
                'length'
            [Constants]
                None
                48
            [Disassembly]
                0       RESUME                          0
                2       LOAD_GLOBAL                     1: NULL + len
                12      LOAD_FAST                       0: data
                14      CALL                            1
                22      LOAD_CONST                      1: 48
                24      COMPARE_OP                      2 (<)
                28      POP_JUMP_IF_FALSE               46 (to 122)
                30      LOAD_CONST                      1: 48
                32      LOAD_GLOBAL                     1: NULL + len
                42      LOAD_FAST                       0: data
                44      CALL                            1
                52      BINARY_OP                       10 (-)
                56      STORE_FAST                      1: length
                58      LOAD_FAST                       0: data
                60      LOAD_ATTR                       3: ljust
                80      LOAD_CONST                      1: 48
                82      LOAD_FAST                       1: length
                84      LOAD_ATTR                       5: to_bytes
                104     CALL                            0
                112     CALL                            2
                120     RETURN_VALUE                    
                122     RETURN_CONST                    0: None
        [Code]
            File Name: PyPro.py
            Object Name: main
            Qualified Name: main
            Arg Count: 0
            Pos Only Arg Count: 0
            KW Only Arg Count: 0
            Stack Size: 5
            Flags: 0x00000003 (CO_OPTIMIZED | CO_NEWLOCALS)
            [Names]
                'input'
                'encode'
                'len'
                'print'
                'range'
                'exit'
                'ord'
                'AES'
                'new'
                'long_to_bytes'
                'key'
                'MODE_ECB'
                'encrypt'
                'PKCS5_pad'
                'base64'
                'b64encode'
                'decode'
            [Locals+Names]
                'enc'
                'i'
                'chiper'
                'result'
                'data'
            [Constants]
                None
                '在这里输入你的flag:\n'
                'utf-8'
                44
                'length error!'
                123
                6
                '{'
                -1
                '}'
                'format error'
                1
                '2e8Ugcv8lKVhL3gkv3grJGNE3UqkjlvKqCgJSGRNHHEk98Kd0wv6s60GpAUsU+8Q'
                'flag正确'
                '错误'
            [Disassembly]
                0       RESUME                          0
                2       LOAD_GLOBAL                     1: NULL + input
                12      LOAD_CONST                      1: '在这里输入你的flag:\n'
                14      CALL                            1
                22      LOAD_ATTR                       3: encode
                42      LOAD_CONST                      2: 'utf-8'
                44      CALL                            1
                52      STORE_FAST                      0: enc
                54      LOAD_GLOBAL                     5: NULL + len
                64      LOAD_FAST                       0: enc
                66      CALL                            1
                74      LOAD_CONST                      3: 44
                76      COMPARE_OP                      55 (!=)
                80      POP_JUMP_IF_FALSE               48 (to 178)
                82      LOAD_GLOBAL                     7: NULL + print
                92      LOAD_CONST                      4: 'length error!'
                94      CALL                            1
                102     POP_TOP                         
                104     LOAD_GLOBAL                     9: NULL + range
                114     LOAD_GLOBAL                     5: NULL + len
                124     LOAD_FAST                       0: enc
                126     CALL                            1
                134     CALL                            1
                142     GET_ITER                        
                144     FOR_ITER                        2 (to 150)
                148     STORE_FAST                      1: i
                150     JUMP_BACKWARD                   4 (to 144)
                152     END_FOR                         
                154     LOAD_GLOBAL                     11: NULL + exit
                164     LOAD_CONST                      5: 123
                166     CALL                            1
                174     POP_TOP                         
                176     JUMP_FORWARD                    57 (to 292)
                178     LOAD_FAST                       0: enc
                180     LOAD_CONST                      6: 6
                182     BINARY_SUBSCR                   
                186     LOAD_GLOBAL                     13: NULL + ord
                196     LOAD_CONST                      7: '{'
                198     CALL                            1
                206     COMPARE_OP                      55 (!=)
                210     POP_JUMP_IF_TRUE                17 (to 246)
                212     LOAD_FAST                       0: enc
                214     LOAD_CONST                      8: -1
                216     BINARY_SUBSCR                   
                220     LOAD_GLOBAL                     13: NULL + ord
                230     LOAD_CONST                      9: '}'
                232     CALL                            1
                240     COMPARE_OP                      55 (!=)
                244     POP_JUMP_IF_FALSE               23 (to 292)
                246     LOAD_GLOBAL                     7: NULL + print
                256     LOAD_CONST                      10: 'format error'
                258     CALL                            1
                266     POP_TOP                         
                268     LOAD_GLOBAL                     11: NULL + exit
                278     LOAD_CONST                      11: 1
                280     CALL                            1
                288     POP_TOP                         
                290     NOP                             
                292     LOAD_GLOBAL                     15: NULL + AES
                302     LOAD_ATTR                       16: new
                322     LOAD_GLOBAL                     19: NULL + long_to_bytes
                332     LOAD_GLOBAL                     20: key
                342     CALL                            1
                350     LOAD_GLOBAL                     14: AES
                360     LOAD_ATTR                       22: MODE_ECB
                380     CALL                            2
                388     STORE_FAST                      2: chiper
                390     LOAD_FAST                       2: chiper
                392     LOAD_ATTR                       25: encrypt
                412     LOAD_GLOBAL                     27: NULL + PKCS5_pad
                422     LOAD_FAST                       0: enc
                424     CALL                            1
                432     CALL                            1
                440     STORE_FAST                      0: enc
                442     LOAD_GLOBAL                     29: NULL + base64
                452     LOAD_ATTR                       30: b64encode
                472     LOAD_FAST                       0: enc
                474     CALL                            1
                482     STORE_FAST                      3: result
                484     LOAD_CONST                      12: '2e8Ugcv8lKVhL3gkv3grJGNE3UqkjlvKqCgJSGRNHHEk98Kd0wv6s60GpAUsU+8Q'
                486     STORE_FAST                      4: data
                488     LOAD_FAST                       3: result
                490     LOAD_ATTR                       33: decode
                510     CALL                            0
                518     LOAD_FAST                       4: data
                520     COMPARE_OP                      40 (==)
                524     POP_JUMP_IF_FALSE               12 (to 550)
                526     LOAD_GLOBAL                     7: NULL + print
                536     LOAD_CONST                      13: 'flag正确'
                538     CALL                            1
                546     POP_TOP                         
                548     RETURN_CONST                    0: None
                550     LOAD_GLOBAL                     7: NULL + print
                560     LOAD_CONST                      14: '错误'
                562     CALL                            1
                570     POP_TOP                         
                572     RETURN_CONST                    0: None
        '__main__'
    [Disassembly]
        0       RESUME                          0
        2       LOAD_CONST                      0: 0
        4       LOAD_CONST                      1: None
        6       IMPORT_NAME                     0: base64
        8       STORE_NAME                      0: base64
        10      LOAD_CONST                      0: 0
        12      LOAD_CONST                      2: ('AES',)
        14      IMPORT_NAME                     1: Crypto.Cipher
        16      IMPORT_FROM                     2: AES
        18      STORE_NAME                      2: AES
        20      POP_TOP                         
        22      LOAD_CONST                      0: 0
        24      LOAD_CONST                      3: ('long_to_bytes',)
        26      IMPORT_NAME                     3: Crypto.Util.number
        28      IMPORT_FROM                     4: long_to_bytes
        30      STORE_NAME                      4: long_to_bytes
        32      POP_TOP                         
        34      LOAD_CONST                      4: 0x554B134A029DE539438BD18604BF114
        36      STORE_NAME                      5: key
        38      LOAD_CONST                      5: <CODE> PKCS5_pad
        40      MAKE_FUNCTION                   0
        42      STORE_NAME                      6: PKCS5_pad
        44      LOAD_CONST                      6: <CODE> main
        46      MAKE_FUNCTION                   0
        48      STORE_NAME                      7: main
        50      LOAD_NAME                       8: __name__
        52      LOAD_CONST                      7: '__main__'
        54      COMPARE_OP                      40 (==)
        58      POP_JUMP_IF_FALSE               8 (to 76)
        60      PUSH_NULL                       
        62      LOAD_NAME                       7: main
        64      CALL                            0
        72      POP_TOP                         
        74      RETURN_CONST                    1: None
        76      RETURN_CONST                    1: None

拿出所有字节码看看,看到数据了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
根据以上的详细字节码反编译信息,我们可以还原并分析Python代码的逻辑。以下是逐步的还原代码和各部分的解释:

```python
import base64
from Crypto.Cipher import AES
from Crypto.Util.number import long_to_bytes

# 定义AES的密钥,用于对输入的数据进行加密
key = 0x554B134A029DE539438BD18604BF114

# PKCS5填充函数,用于确保数据长度是AES块大小的倍数(48字节)
def PKCS5_pad(data):
    if len(data) < 48:
        length = 48 - len(data)
        # 将数据填充到48字节
        return data + bytes([length] * length)  
    return data

def main():
    # 获取用户输入的flag并编码成utf-8格式
    enc = input('在这里输入你的flag:\n').encode('utf-8')

    # 检查输入的长度是否为44字节
    if len(enc) != 44:
        print('length error!')
        for i in range(len(enc)):
            pass  # 此处的循环没有实际操作
        exit(123)  # 长度错误时退出

    # 确保flag以特定的字符'{'开头和'}'结尾
    if ord(enc[6]) != ord('{') or ord(enc[-1]) != ord('}'):
        print('format error')
        exit(1)  # 格式错误时退出

    # 创建AES加密对象,使用ECB模式(Electronic Codebook)
    cipher = AES.new(long_to_bytes(key, 16), AES.MODE_ECB)
    
    # 对输入进行PKCS5填充并加密
    encrypted = cipher.encrypt(PKCS5_pad(enc))
    
    # 将加密结果进行Base64编码
    result = base64.b64encode(encrypted)
    
    # 预定义的加密验证数据
    expected_data = '2e8Ugcv8lKVhL3gkv3grJGNE3UqkjlvKqCgJSGRNHHEk98Kd0wv6s60GpAUsU+8Q'

    # 将结果解码为字符串并与预期数据进行比较
    if result.decode() == expected_data:
        print('flag正确')
    else:
        print('错误')

if __name__ == '__main__':
    main()

分析说明

  1. 密钥key是一个16字节的AES密钥,以十六进制表示,并在程序中使用。
  2. PKCS5填充PKCS5_pad函数确保数据的长度达到48字节,填充方式是将缺少的字节用填充值填充。
  3. 输入验证
    • 输入的flag必须为44字节长度,不符合长度则直接报错退出。
    • 验证flag的第7个字符为'{',且最后一个字符为'}',否则退出并提示格式错误。
  4. AES加密
    • 使用AES ECB模式加密填充后的数据,最终生成密文。
  5. Base64编码和比较
    • 对密文进行Base64编码,将编码结果与预期的字符串expected_data进行比较。
    • 如果匹配,输出“flag正确”;否则输出“错误”。

字节码中的细节

  • 反编译时的JUMP_BACKWARD和其他字节码指令实现了长度和格式的验证逻辑,以及字符位置的条件检查。
  • 出现的部分冗余指令可以忽略,因为它们不影响核心逻辑的理解和执行。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42

来点chat

```plain
import base64
from Crypto.Cipher import AES
from Crypto.Util.number import long_to_bytes

# 定义AES的密钥
key = 0x554B134A029DE539438BD18604BF114


# PKCS5填充去填充函数
def PKCS5_unpad(data):
    # 获取最后一个字节的值,它表示填充的字节数
    padding_length = data[-1]
    return data[:-padding_length]  # 返回去掉填充的内容


def decrypt(enc_data):
    # 对Base64编码的数据进行解码
    encrypted_data = base64.b64decode(enc_data)

    # 创建AES解密对象,使用ECB模式
    cipher = AES.new(long_to_bytes(key, 16), AES.MODE_ECB)

    # 解密数据
    decrypted_data = cipher.decrypt(encrypted_data)

    # 去掉PKCS5填充
    return PKCS5_unpad(decrypted_data)


if __name__ == '__main__':
    # 这里替换为需要解密的Base64字符串
    encrypted_flag = '2e8Ugcv8lKVhL3gkv3grJGNE3UqkjlvKqCgJSGRNHHEk98Kd0wv6s60GpAUsU+8Q'

    # 调用解密函数
    decrypted_flag = decrypt(encrypted_flag)

    # 输出解密结果
    print('解密后的flag:', decrypted_flag.decode('utf-8'))

MineSweeper

Crypto

caeser

直接爆破

code

#2024比赛
0xGAME 2024
http://example.com/2024/12/08/0xGame 2024/
Author
chaye
Posted on
December 8, 2024
Licensed under