2024闽盾杯初赛 Crypto&MISC_闽盾杯2024wp-CSDN博客

本文链接：https://blog.csdn.net/qq_63923205/article/details/139936966

没打，事后找学弟要了附件，难度不是很高，除了那题很抽象的空白其他都不难。

Crypto

学会SM

签到，没啥好说的：

源码和数据都要保护

根据描述，看了下文件头确定是beast扩展，加密方式是DES，解密：

from Crypto.Cipher import DES
from Crypto.Util.Padding import pad

ECB_KEY = b'\x01\x1F\x01\x1F\x01\x0E\x01\x0E'
HEAD_LENGTH = 8
ENCRYPT_TYPES = [ 'DES', "AES" , 'BASE64']

def des_decrypt(ciphertext):
    cipher = DES.new(ECB_KEY, DES.MODE_ECB)
    plaintext = cipher.decrypt(ciphertext)
    return plaintext.decode('utf-8', errors='ignore')

with open('./my_encode.php', 'rb') as f:
    content = f.read()
    head_sign = content[:HEAD_LENGTH]
    file_size = int.from_bytes(content[HEAD_LENGTH: HEAD_LENGTH + 4], 'big') 
    encrypt_type = int.from_bytes(content[HEAD_LENGTH + (4 * 2): HEAD_LENGTH + (4 * 3)], 'big')
    print('[+] file size: %dB' % file_size)
    print('[+] encrypt type: %s' % ENCRYPT_TYPES[encrypt_type - 1])
    enc_filedata = content[HEAD_LENGTH + (4 * 3):]
    padded_content = pad(enc_filedata, DES.block_size)
    plaintext = des_decrypt(padded_content)
    print(plaintext)

解密后的PHP代码：

<?php
function my_encode($str,$key){ 
	$re=''; $len=strlen($str); 
	for($i=0;$i<$len;$i++){ 
		$c=substr($str,$i,1); 
		$k=substr($key,($i%strlen($key)),1); 
		$num=ord($c)+ord($k); 
		if($num>255) $num-=256; 
		$re.=chr($num); 
	} 
	return $re; 
} 

function my_decode($str,$key){ 
	return 'Something missed.'; 
} 

$data=@$_GET['data']; 
$key=@$_GET['key']; 
if($key=='') $key='hdhd4321'; 
if($data!=''){ 
	$mi=my_encode($data,$key); 
	file_put_contents('data_encoded.txt',$mi); 
	echo 'Saved to data_encoded.txt'; 
} 
?>

按位减去hdhd4321即可：

我的进制我做主

观察附件，发现文档中包含了a-r除了i的17个字母，猜测是18进制，a-r依次对应0-9a-h，exp：

replace_dic = {"a":"0", "b":"1", "c":"2", "d":"3", "e":"4", "f":"5", "g":"6", "h":"7", "i":"8", "j":"9", "k":"a", "l":"b", "m":"c", "n":"d", "o":"e", "p":"f", "q":"g", "r":"h"}
ciphertext = "ergdgjboglfpgcbpbofmgafhfngpfoflfpfkgjgccndcfqfpgcgofofpdadadagr"
res = ""
flag = ""

for i in ciphertext:
    res += replace_dic[i]

for j in range(0, len(res), 2):
    flag += chr(int(res[j:j+2], 18))

print(flag)

MISC

一个logo

B0通道明显隐写：

学会office

因为用wps执行不了也看不了宏（，所以随便找了个在线网站提取了一下：

Attribute VB_Name = "模块1"
Sub jiami()
    Dim x As Long, data As String, tmp As String
    For x = 3 To 99
        data = Trim(ActiveSheet.Range("I" & x))
        If data = "" Then Exit For
        tmp = Left(data, 1)
        data = Right(data, Len(data) - 1)
        ActiveSheet.Range("I" & x) = "" & Chr(Asc(tmp) + 3) & data
    Next x
    MsgBox "完成，请查看该列内容！"
End Sub

Sub jiemi()
    Dim x As Long, data As String, tmp As String
    For x = 3 To 99
        data = Trim(ActiveSheet.Range("I" & x))
        If data = "" Then Exit For
        tmp = Left(data, 1)
        data = Right(data, Len(data) - 1)
        ActiveSheet.Range("I" & x) = Chr(Asc(tmp) - 3) & data
    Next x
    MsgBox "完成，请查看该列内容！"
End Sub

那么就全部ascii减3，有一个很奇怪的字符直接猜测解密完是}，但是发现解出来顺序不对。最后测试是要根据计算机成绩进行排序，exp：

tmp = ['i','o','d','j','~','m','l','v','x','d','q','m','l','f','k','h','q','j','m','l','m','x','h','g','l','q','j','e','l','v','d','l','s','d','l','p','l','q','j','}','t','l','w','d','g','h','m','l','q','j','r','q','j','f','d','q','n','d','r','v','x','l','e','l','d','q','o','h']
flag = ""
for i in tmp:
    if i != "}":
        flag += chr(ord(i) - 3)
    else:
        flag += i


print(flag)

gogogo

逻辑一眼顶针，直接写一个解密上去：

func Decrypt(cipherText []byte) []byte {
	
    privateKeyFromPem, err := x509.ReadPrivateKeyFromPem(pri, nil)
    if err != nil {
        panic(err)
    }
    planiText, err := privateKeyFromPem.DecryptAsn1(cipherText)
    if err != nil {
        panic(err)
    }
    return planiText
}

func (e EncryptController) Decrypt(r *gin.Context) {
	encryptedFlag := []byte{48, 125, 2, 33, 0, 238, 212, 154, 134, 255, 91, 109, 210, 231, 242, 184, 9, 103, 26, 30, 241, 93, 242, 68, 119, 148, 9, 21, 5, 241, 175, 203, 3, 152, 63, 85, 82, 2, 32, 2, 156, 154, 131, 146, 194, 242, 200, 19, 109, 209, 151, 90, 252, 165, 49, 247, 141, 208, 219, 117, 226, 91, 113, 225, 0, 33, 162, 19, 87, 49, 68, 4, 32, 213, 16, 18, 177, 119, 110, 74, 6, 147, 235, 85, 0, 61, 4, 1, 43, 107, 207, 249, 37, 195, 141, 141, 23, 244, 159, 235, 159, 169, 243, 160, 37, 4, 20, 179, 67, 236, 205, 121, 146, 216, 75, 168, 197, 214, 34, 63, 138, 237, 247, 166, 117, 246, 210}
	plainText := Decrypt(encryptedFlag)
	r.JSON(http.StatusOK, gin.H{"flag": string(plainText)})
}

补一个路由，解密：

package router

import (
	"demo03/controller"
	"github.com/gin-gonic/gin"
)

func Router() *gin.Engine {
	r := gin.Default()

	enc := r.Group("/")
	{
		enc.GET("/encrypt", controller.EncryptController{}.Encrypt)
		enc.GET("/decrypt", controller.EncryptController{}.Decrypt)
	}

	return r
}