暑假内部赛

MISC

小小侦探家

1722397780481-2b833edb-ad78-4fb0-9801-77ae953a8dc3.png

1722397891416-ae242081-6efb-4dd9-b785-e25c634eae1e.png

1722398014481-0d0a3e12-fc0c-4270-ad50-436fb318d21a.png

encode

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
# uncompyle6 version 3.9.1
# Python bytecode version base 3.8.0 (3413)
# Decompiled from: Python 3.10.9 | packaged by Anaconda, Inc. | (main, Mar  1 2023, 18:18:15) [MSC v.1916 64 bit (AMD64)]
# Embedded file name: encode.py


def xor_encrypt(input_bytes, key):
    key_length = len(key)
    output_bytes = bytearray(len(input_bytes))
    for i in range(len(input_bytes)):
        output_bytes[i] = input_bytes[i] ^ key[i % key_length]
    else:
        return output_bytes


def encrypt_image(input_file, output_file):
    key = b'whereamifindme'
    with open(input_file, "rb") as f:
        image_data = f.read()
    encrypted_data = xor_encrypt(image_data, key)
    with open(output_file, "wb") as f:
        f.write(encrypted_data)
    print(f"Encryption completed. Encrypted image saved to {output_file}")


if __name__ == "__main__":
    input_file = "1.jpg"
    output_file = "flag.jpg"
    encrypt_image(input_file, output_file)

# okay decompiling encode.pyc

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
def xor_encrypt(input_bytes, key):
    key_length = len(key)
    output_bytes = bytearray(len(input_bytes))
    for i in range(len(input_bytes)):
        output_bytes[i] = input_bytes[i] ^ key[i % key_length]
    else:
        return output_bytes

def encrypt_image(input_file, output_file):
    key = b'whereamifindme'
    with open(input_file, "rb") as f:
        image_data = f.read()
    encrypted_data = xor_encrypt(image_data, key)
    with open(output_file, "wb") as f:
        f.write(encrypted_data)
    print(f"Encryption completed. Encrypted image saved to {output_file}")


def xor_decrypt(input_bytes, key):
    # XOR 解密与加密是相同的操作
    return xor_encrypt(input_bytes, key)

def decrypt_image(input_file, output_file):
    key = b'whereamifindme'
    with open(input_file, "rb") as f:
        encrypted_data = f.read()
    decrypted_data = xor_decrypt(encrypted_data, key)
    with open(output_file, "wb") as f:
        f.write(decrypted_data)
    print(f"Decryption completed. Decrypted image saved to {output_file}")

if __name__ == "__main__":
    input_file = "flag.jpg"
    output_file = "decrypted.jpg"
    decrypt_image(input_file, output_file)

1722398450272-655e73bb-6216-4884-bced-31dbdd3aa0f5.jpeg

嗯,美国的朋友

1722398785203-3e0820c5-db73-48ad-ab71-bccfdc9784a8.png

正常

1722403659378-1f7b980a-0fe0-4dcd-8f7a-76a496251b57.png

1722403257515-77115410-a107-44b4-8e9e-64ef04811208.jpeg

Matryoshka

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
import zipfile
import os
import shutil
import uuid

def extract_zip(zip_path, extract_to):
    """解压缩指定的 ZIP 文件到指定目录"""
    with zipfile.ZipFile(zip_path, 'r') as zip_ref:
        zip_ref.extractall(extract_to)
    print(f"Extracted: {zip_path} to {extract_to}")

def find_and_extract_zips(base_folder, temp_folder, output_folder):
    """递归查找并解压所有 ZIP 文件"""
    for root, dirs, files in os.walk(base_folder):
        for file in files:
            file_path = os.path.join(root, file)
            if file.endswith('.zip'):
                unique_folder = os.path.join(temp_folder, str(uuid.uuid4()))  # 创建唯一的临时文件夹
                os.makedirs(unique_folder, exist_ok=True)
                extract_zip(file_path, unique_folder)
                os.remove(file_path)  # 解压后删除 ZIP 文件
                print(f"Deleted: {file_path}")
                # 在新解压出的目录中继续查找 ZIP 文件
                find_and_extract_zips(unique_folder, temp_folder, output_folder)
            else:
                # 将最里面的文件移动到输出文件夹
                destination_path = os.path.join(output_folder, file)
                shutil.move(file_path, destination_path)
                print(f"Moved: {file_path} to {destination_path}")

if __name__ == "__main__":
    input_folder = r"D:\网站下载\exppy"  # 指定包含嵌套 ZIP 文件的根目录
    temp_folder = r"D:\临时解压文件夹"  # 用于解压的临时目录
    output_folder = r"D:\解压后的文件"  # 所有文件提取到的目标文件夹
    os.makedirs(temp_folder, exist_ok=True)  # 确保临时目录存在
    os.makedirs(output_folder, exist_ok=True)  # 确保输出目录存在

    find_and_extract_zips(input_folder, temp_folder, output_folder)
    print("所有文件提取完毕")

然后爆破密码

1722405394869-3053321d-2392-4bf1-831a-52ca60e4ea85.png

1722405509167-7ac1f6a2-d88f-47b7-870f-52683d7378e6.png

1722405565617-1b8e32f8-5cb4-4c41-b73b-3f8503c0b50a.png

1722414218554-683f8729-2586-4d4a-8c6c-16ba93b8b717.png

改成zip然后解压缩

1722414251376-5ce7e95f-e361-4c91-970e-5a91af357fef.png

然后就拿到照片不会了

1722416548417-646cec90-78b0-4b2b-916a-cecf412d9df2.png

来自周神的万能py(伟大无需多言)

1722418852200-7b993f45-1759-460b-83c0-ba5527519a17.png

1722418885797-0bb5ed61-03ad-4f1b-82b0-bae001f8c022.png\

sb0olI

WkpHU1VDVEZ7ODY1ODYzNkItNDJGMy0zNjQ4LTVCMjUtQUY2Q0RCRjI5NTI5fQ==

1722419785126-873c394b-a883-44e1-882b-acb89c8cf994.png

CRYPTO

phi

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
def euler_totient(n):
    result = n  # Initialize result as n
    p = 2
    # Consider all prime factors of n and subtract their multiples from result
    while p * p <= n:
        # Check if p is a prime factor
        if n % p == 0:
            # If yes, then update n and result
            while n % p == 0:
                n //= p
            result -= result // p
        p += 1
    # If n has a prime factor greater than sqrt(n)
    # (There can be at most one such prime factor)
    if n > 1:
        result -= result // n
    return result

n = int(input("Enter a number: "))
print(f"The number of integers less than {n} that are coprime with {n} is {euler_totient(n)}.")

basic_RSA

获得p,q

1
2
3
4
5
6
7
8
9
10
n = 8518969207529636389484032230886536704406768047371377256638626913642749445259329340941109791553519452501892180150380956873522604338824472473236167891564393
p = 983335626386310597717550945092743654289318641603143018459883485703236916430
q = 866333831393483651450507450957397118458633113000718740740857324290558250886

for i in range(100):
    for j in range(100):
        if((p*100+i)*(q*100+j)==n):
            print("p=",p*100+i)
            print("q=",q*100+j)
            break

1722394870801-73a3b752-0451-422b-87df-6fa6e8599de9.png

解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
import gmpy2
from Crypto.Util.number import long_to_bytes

q =86633383139348365145050745095739711845863311300071874074085732429055825088613
p =98333562638631059771755094509274365428931864160314301845988348570323691643061

e = 65537
c = 6562905193530371491664319145474869160361926759601288401756039886752371060413124293251174780962557430362519513676355513923070074558557958599788395941875438
# n=8518969207529636389484032230886536704406768047371377256638626913642749445259329340941109791553519452501892180150380956873522604338824472473236167891564393
n = q * p
# print(n)
d = gmpy2.invert(e, (p - 1) * (q - 1))
print("d=", d)
m = pow(c, d, n)
print(m)
print(long_to_bytes(m))

1722395080668-cbdd4cc6-4216-4a81-8fe9-08e2c9e085e3.png

enc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
from Crypto.Cipher import AES
import base64
import json

# 与JavaScript中相同的密钥和IV
key = b'1234123412ABCDEF'
iv = b'1234123412ABCDEF'


def decrypt(encrypted_text):
    # 将Base64编码的密文转换为字节
    encrypted_bytes = base64.b64decode(encrypted_text)

    # 使用AES进行解密
    cipher = AES.new(key, AES.MODE_CBC, iv)
    decrypted_bytes = cipher.decrypt(encrypted_bytes)

    # 去除填充
    pad_len = decrypted_bytes[-1]
    decrypted_bytes = decrypted_bytes[:-pad_len]

    # 将解密后的字节转换为字符串
    decrypted_text = decrypted_bytes.decode('utf-8')

    # 尝试解析为JSON对象
    try:
        decrypted_data = json.loads(decrypted_text)
        return decrypted_data
    except json.JSONDecodeError:
        return decrypted_text
a='2rn7Wcu6OECQFBrkBSCzvQ=='
print(decrypt(a))

BASIC_rsa?

得到十进制的p

1722407532145-51dcf492-3661-4a58-b389-120290df4e34.png

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
import gmpy2
from Crypto.Util.number import long_to_bytes

p = 11078621793949482625914372710810959398675963822415939216168633283415944613128498588716242943797946558845513908279515179517717865327915107375374373236695797

e = 65537
c = 34249174398573844561724553123097991805748045349941051239905387500962666334254143693989050793644602109372118418179926824099494693623993781741261080861283160331937184329685234484575779194527204931907049442889394176292943564908081818520471872867158523349155125154566723265694918287939042067461946833720803908419

n = 127697470012830699516312095200727334137458073897637275467480374448830146587852701396242747281584152916736575300669782612348674479798285191271836719149002228481986613159355642035344516698166166815694171737146410931677450051628031191289869988494519088068698936030651830429428544621447638050279630876476422484677

# 确保 q 是一个整数
q = n // p
print("q =", q)

# 计算 d
phi = (p - 1) * (q - 1)
d = gmpy2.invert(e, phi)
print("d =", d)

# 解密消息
m = pow(c, d, n)
print("m =", m)
print("Decrypted message:", long_to_bytes(m))

1722407696843-5044428b-c515-401a-adb4-9f5957ad25a7.png

common(多组nc)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
import gmpy2
import libnum
from Crypto.Util.number import long_to_bytes

n1 = 132963755548206229559127689166757584511233225283043942347398006713394304522162906766220322689091908141056178489298724072090068593524622575063324464083235534352678901324592982116353558072908375775464810233662811977377434641059529949137944412090936664215705396037823298138229472328757455343491215225582072326609
n2 = 135715978430684287381713379483929616945110106139653924228097245208713615447908876761578043850197920250417331466583068362027199914761824520739671581870758012290130748364801002790393321246996987185380538754400076604470645538272868000108348182618645865412772843015157084652883886834388848492901314867879577439991
c1 = 118311856007994446471425653368270431815268347185806809785193216737612021273781210857995561399953518478531629168544046740368055620359324847835880188911396310860156525631827183309640891399780327812381201798593921912143408764197609046182658951137157492643749925697701468531330210148652740735483028164075625352731
c2 = 10880604230339738820239117607212371216541411086376043211246572277203913063699089407935153227605276627875795616322147701707404835648471284140116567004143554388076937920404785484782546601765715529529539324463336305223709231573270251380061360588847679377993816543999438875782700254270857313316044309542281002278

# ...此处省略20组n和c

e = 65537
n = []
c = []
p = []
for i in range(1, 2):
    n.append(eval('n' + str(i)))
    c.append(eval('c' + str(i)))
data = list(zip(n, c))
for i in range(len(n)):
    for j in range(i + 1, len(n)):
        if gmpy2.gcd(n[i], n[j]) != 1:
            print(i, j)  # i=4,j=17
            print(gmpy2.gcd(n[i], n[j]))
p = gmpy2.gcd(n1, n2)
q = n1 // p
d1 = gmpy2.invert(e, (p - 1) * (q - 1))
print("d1=",d1)
m1 = pow(c1, d1, n1)


p = gmpy2.gcd(n1, n2)
q = n2 // p
d2 = gmpy2.invert(e, (p - 1) * (q - 1))
print("d2=",d2)
m2 = pow(c2, d2, n2)
print(long_to_bytes(m1),end='')
print(long_to_bytes(m2))

1722407993358-c40157e2-3bf8-4e17-a67f-33543893e554.png

RE

Hard_Signin

ida打不开,题目说文件被改了,放到010看一下

1722396489215-630723df-f124-4f4c-a318-175adb3e7d0d.png

发现头被改了

正常的头

1722396580134-e3f904ae-5e10-4225-8449-51366412b409.png

改回来就可以看到有个upx壳了

1722396536086-20a9f578-d28f-4c0f-8938-c2d16a69438a.png

1722396634438-b4f14c6d-cc4b-45e1-add4-48634d61004c.png

脱壳后放入ida得到flag

1722396435274-41529e7f-40f3-4e19-adc2-2902c4be58e2.png

不要非预期

1722389363066-66f2c5b1-b33c-4252-9831-40c3e1c3edad.png

Python_Revenge

3.10

magic number 6F 0D 0D 61

1722412845734-95b21973-c815-4e02-beee-9f16de23579b.png

将后缀改成pyc

放到kali里面用pycdc反编译

1722413189287-cb2557d4-dbdc-4a10-bc1c-3f0c35b57ba5.png

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
# Source Generated with Decompyle++
# File: python.pyc (Python 3.10)

import base64
str = ''
print('Please input your flag:')
str1 = input(str)
a = base64.b64encode(str1.encode('utf-8'))
a = a.decode()
s = []
s1 = [72,112,107,87,68,86,49,85,55,90,69,86,122,66,85,90,119,57,86,101,102,78,87,101,102,53,87,97,50,78,106,99,122,74,88,90,61,48,88,90]
for i in range(len(a)):
    s.append(ord(a[i]))
for i in range(0, len(s), 4):
    s[i] = s[i + 3]
    s[i + 3] = s[i]
    s[i + 1] = s[i + 2]
    s[i + 2] = s[i + 1]
for i in range(len(s)):
    if s[i] != s1[i]:
        print('Wrong')
        exit(0)
print('success')

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
import base64

s = [72, 112, 107, 87, 68, 86, 49, 85, 55, 90, 69, 86, 122, 66, 85, 90, 119, 57, 86, 101, 102, 78, 87, 101, 102, 53, 87, 97, 50, 78, 106, 99, 122, 74, 88, 90, 61, 48, 88, 90]


for i in range(0, len(s), 4):
    s[i], s[i + 3] = s[i + 3], s[i]
    s[i + 1], s[i + 2] = s[i + 2], s[i + 1]
encoded_str = ''.join(chr(num) for num in s)

original_str = base64.b64decode(encoded_str).decode('utf-8')

print(original_str)

1722413890009-eba83a0e-8090-47ae-9fc6-f601b94e503d.png

Assembly_Yao

edx=‘@’ 0x40

更新: 2024-12-24 15:55:53
原文: https://www.yuque.com/chaye-apqbl/vsc85q/qh5y1yli8mfx1q3b

http://example.com/2026/01/19/WP/2024/暑假内部赛/
Author
chaye
Posted on
January 19, 2026
Licensed under