SUSCTF2022WP
出了一道Re,另一道是dart和flutter,干不动就这样了,又玩了会红警,整挺好
比赛结束发现还有团队赛。。。
等官方wp出了再复盘吧
Re
DigitalCircuits
python pyinstxtractor.py DigitalCircuits.exe
将文件夹里的DigitalCircuits提出,复制struct里的magic number
利用网站反编译
得到
def f1(a, b):# &
if a == '1' and b == '1':
return '1'
return '0'
def f2(a, b):# |
if a == '0' and b == '0':
return '0'
return '1'
def f3(a): # ~
if a == '1':
return '0'
if a == '0':
return '1'
def f4(a, b):
return f2(f1(a, f3(b)), f1(f3(a), b))
def f51(x, y, z):
s = f4(f4(x, y), z)
return s
def f52(x, y, z):
c = f2(f1(x, y), f1(z, f2(x, y)))
return c
def f6(a, b):
ans = ''
z = '0'
a = a[::-1]
b = b[::-1]
for i in range(32):
ans += f51(a[i], b[i], z)
z = f52(a[i], b[i], z)
return ans[::-1]
def f7(a, n): # 左移
return a[n:] + '0' * n
def f8(a, n):# 右移
return n * '0' + a[:-n]
def f9(a, b):
ans = ''
for i in range(32):
ans += f4(a[i], b[i])
return ans
def f10(v0, v1, k0, k1, k2, k3):
s = '00000000000000000000000000000000' # sum
d = '10011110001101110111100110111001'# 9E 37 79 B9
for i in range(32):
s = f6(s, d)
v0 = f6(v0, f9(f9(f6(f7(v1, 4), k0), f6(v1, s)), f6(f8(v1, 5), k1)))# v1<<4
v1 = f6(v1, f9(f9(f6(f7(v0, 4), k2), f6(v0, s)), f6(f8(v0, 5), k3)))
return v0 + v1
k0 = '0100010001000101'.zfill(32) # key=DEADBEEF
k1 = '0100000101000100'.zfill(32)
k2 = '0100001001000101'.zfill(32)
k3 = '0100010101000110'.zfill(32)
flag = input('please input flag:')
if flag[0:7] != 'SUSCTF{' or flag[-1] != '}':
print('Error!!!The formate of flag is SUSCTF{XXX}')
exit(0)
flagstr = flag[7:-1]
if len(flagstr) != 24:
print(len(flag))
print('Error!!!The length of flag 24')
exit(0)
res = ''
for i in range(0, len(flagstr), 8): # 0-7,8-16,16-24
v0 = bin(ord(flagstr[i]))[2:].zfill(8) + bin(ord(flagstr[i + 1]))[2:].zfill(8) + bin(ord(flagstr[i + 2]))[2:].zfill(8) + bin(ord(flagstr[i + 3]))[2:].zfill(8)
v1 = bin(ord(flagstr[i + 4]))[2:].zfill(8) + bin(ord(flagstr[i + 5]))[2:].zfill(8) + bin(ord(flagstr[i + 6]))[2:].zfill(8) + bin(ord(flagstr[i + 7]))[2:].zfill(8)
res += f10(v0, v1, k0, k1, k2, k3)
print(res)
if res == '001111101000100101000111110010111100110010010100010001100011100100110001001101011000001110001000001110110000101101101000100100111101101001100010011100110110000100111011001011100110010000100111':
print('True')
else:
print('False')
# SUSCTF{XBvfaEdQvbcrxPBh8AOcJ6gA}
通过特征值0x9e3779b9和左移4位右移5位,猜测是TEA加密,使用脚本
#include <stdio.h>
#include <stdint.h>
//加密函数
void encrypt(uint32_t *v, uint32_t *k)
{
uint32_t v0 = v[0], v1 = v[1], sum = 0, i; /* set up */
uint32_t delta = 0x9e3779b9; /* a key schedule constant */
uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3]; /* cache key */
for (i = 0; i < 32; i++)
{ /* basic cycle start */
sum += delta;
v0 += ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
v1 += ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
} /* end cycle */
v[0] = v0;
v[1] = v1;
}
//解密函数
void decrypt(uint32_t *v, uint32_t *k)
{
uint32_t v0 = v[0], v1 = v[1], i; /* set up */
uint32_t delta = 0x9e3779b9;
uint32_t sum = delta * 32; /* a key schedule constant */
uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3]; /* cache key */
for (i = 0; i < 32; i++)
{ /* basic cycle start */
v1 -= ((v0 << 4) + k2) ^ (v0 + sum) ^ ((v0 >> 5) + k3);
v0 -= ((v1 << 4) + k0) ^ (v1 + sum) ^ ((v1 >> 5) + k1);
sum -= delta;
} /* end cycle */
v[0] = v0;
v[1] = v1;
}
int main()
{
uint32_t k[4] = {'DE','AD','BE','EF'};
uint32_t v[]={0x3E8947CB,0xCC944639};
uint32_t v1[]={0x31358388,0x3B0B6893};
uint32_t v2[]={0xDA627361,0x3B2E6427};
decrypt(v, k);
decrypt(v1, k);
decrypt(v2, k);
// printf("decode: %x %x\n", v[0], v[1]);
unsigned long len = 8;
puts((char *)v);
for (int i = 0; i < len; i++)
{
printf("%x ", (*((char *)v + i)));
}
for (int i = 0; i < len; i++)
{
printf("%x ", (*((char *)v1 + i)));
}
for (int i = 0; i < len; i++)
{
printf("%x ", (*((char *)v2 + i)));
}
return 0;
}
试了一下不对,然后想起来应该是小端序
最后是小端序逆向输出
s="fvBXQdEarcbvhBPxcOA8Ag6J"
for i in range(0,len(s),4):
a=s[i:i+4]
print(a[::-1],end="")
SUSCTF{XBvfaEdQvbcrxPBh8AOcJ6gA}
MISC
ra2
战役地图围墙把基地保护好,造了条狗探路,最后在地图下面有个牌子,牌子上有flag
SUSCTF{RED_ALERT_WINNER}