红白机

看了一眼是 6502 汇编,直接找了个模拟器跑了一下:

Screenshot-202401311703.webp

xor

愣是让我手搓了半天。直接去 IDA 把大体逻辑扒拉下来:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
lst1 = [ord(i) for i in "6329079420771558"]
lst2 = [ord(i) for i in "7679621386735000"]

lst3 = [ord(i) for i in flag[:16]]
lst4 = [ord(i) for i in flag[16:]]

for i in range(16):
    lst3[i] ^= lst2[i]
    lst4[i] ^= lst1[i]
for i in range(16):
    lst3[i] ^= lst1[i]
    lst4[i] ^= lst2[i]
for i in range(1, 16):
    lst3[i] ^= lst2[16-i]
    lst4[i] ^= lst1[16-i]
for i in range(1, 16):
    lst3[i] ^= lst1[16-i]
    lst4[i] ^= lst2[16-i]

lst6 = [ord(i) for i in "4180387362590136"]
lst7 = [ord(i) for i in "3092606632787947"]

lst8 = lst4
lst9 = lst3

for i in range(16):
    lst8[i] ^= lst7[i]
    lst9[i] ^= lst6[i]
for i in range(16):
    lst8[i] ^= lst6[i]
    lst9[i] ^= lst7[i]
for i in range(1, 16):
    lst8[i] ^= lst7[16-i]
    lst9[i] ^= lst6[16-i]
for i in range(1, 16):
    lst8[i] ^= lst6[16-i]
    lst9[i] ^= lst7[16-i]

lst0 = lst9 + lst8

assert lst0 == [ord(i) for i in "`agh{^bvuwTooahlYocPtmyiijj|ek'p"]

反过来,写一下,跑一遍,就拿 Flag 了:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
fin = [ord(i) for i in "`agh{^bvuwTooahlYocPtmyiijj|ek'p"]

lst9 = fin[:16]
lst8 = fin[16:]

lst7 = [ord(i) for i in "3092606632787947"]
lst6 = [ord(i) for i in "4180387362590136"]

for i in range(1, 16):
    lst8[i] ^= lst6[16-i]
    lst9[i] ^= lst7[16-i]
for i in range(1, 16):
    lst8[i] ^= lst7[16-i]
    lst9[i] ^= lst6[16-i]
for i in range(16):
    lst8[i] ^= lst6[i]
    lst9[i] ^= lst7[i]
for i in range(16):
    lst8[i] ^= lst7[i]
    lst9[i] ^= lst6[i]

lst4 = lst8
lst3 = lst9

lst1 = [ord(i) for i in "6329079420771558"]
lst2 = [ord(i) for i in "7679621386735000"]

for i in range(1, 16):
    lst3[i] ^= lst1[16-i]
    lst4[i] ^= lst2[16-i]
for i in range(1, 16):
    lst3[i] ^= lst2[16-i]
    lst4[i] ^= lst1[16-i]
for i in range(16):
    lst3[i] ^= lst1[i]
    lst4[i] ^= lst2[i]
for i in range(16):
    lst3[i] ^= lst2[i]
    lst4[i] ^= lst1[i]

flag = "".join([chr(i) for i in lst3 + lst4])

print(flag)

ezpython

在混沌的源头寻找秩序,当时间的沙漏倒置,你会发现钥匙不仅仅藏在表面之下。

是 Python,但是打包好的 exe 文件。拿 pyinstxtractor 和 uncompyle6 解包和反编译后可以看到源码:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
from gmssl import sm4
from secret import key, enc
# key = 'BeginCTFBeginCTF'
# enc = b'JmjJEAJGMT6F9bmC+Vyxy8Z1lpfaJzdEX6BGG/qgqUjUpQaYSON1CnZyX9YXTEClSRYm7PFZtGxmJw6LPuw1ww=='
import base64

def pad_pkcs7(data):
    """PKCS#7填充"""
    padding_len = 16 - len(data) % 16
    padding = bytes([padding_len] * padding_len)
    return data + padding


def unpad_pkcs7(padded_data):
    """PKCS#7去填充"""
    padding_len = padded_data[-1]
    return padded_data[:-padding_len]

class SM4:
    def __init__(self):
        self.gmsm4 = sm4.CryptSM4()

    def encryptSM4(self, encrypt_key, value):
        gmsm4 = self.gmsm4
        gmsm4.set_key(encrypt_key.encode(), sm4.SM4_ENCRYPT)
        padded_value = pad_pkcs7(value.encode())
        encrypt_value = gmsm4.crypt_ecb(padded_value)
        return base64.b64encode(encrypt_value)

if __name__ == '__main__':
    print('请输入你的flag:')
    flag = input()
    sm4_instance = SM4()
    flag_1 = sm4_instance.encryptSM4(key, flag)
    if flag_1 != enc:
        print('flag错误!!')
    else:
        print('恭喜你获得flag😊😀')

很好啊,直接解密… 哎?怎么解密不出来。那就看一眼打包好的 gmssl/sm4 吧:

1
2
3
4
5
6

class CryptSM4(object):
    def set_key(self, key, mode):
        key = bytes_to_list(key)
        key = [ k ^ 37 for k in .0 ]
        ...

哎好,在依赖里面藏了个坑。不过这个坑也不难填,直接把 key 里面的每个字节都异或 37 然后正常 SM4 解密就行了。

real checkin xor

1
2
3
4
5
6
7
8
9
10
11
def verify_func(ciper,key):
    encrypted = []
    for i in range(len(ciper)):
        encrypted.append(ord(ciper[i])^ord(key[i%len(key)]))
    return encrypted

secret = [7, 31, 56, 25, 23, 15, 91, 21, 49, 15, 33, 88, 26, 48, 60, 58, 4, 86, 36, 64, 23, 54, 63, 0, 54, 22, 6, 55, 59, 38, 108, 39, 45, 23, 102, 27, 11, 56, 32, 0, 82, 24]
print("这是一个保险箱,你能输入相关的key来进行解密吗?")
input_line = input("请输入key > ")
if verify_func(input_line,"ez_python_xor_reverse") == secret:
    print("密码正确")

签到题。

1
2
3
4
5
6
7
8
9
def verify_func(ciper, key):
    encrypted = []
    for i in range(len(ciper)):
        encrypted.append(ciper[i] ^ ord(key[i % len(key)]))
    return encrypted

secret = [7, 31, 56, 25, 23, 15, 91, 21, 49, 15, 33, 88, 26, 48, 60, 58, 4, 86, 36, 64, 23, 54, 63, 0, 54, 22, 6, 55, 59, 38, 108, 39, 45, 23, 102, 27, 11, 56, 32, 0, 82, 24]
cipher = "ez_python_xor_reverse"
print(*[chr(x) for x in verify_func(secret, cipher)], sep="")

stick game

Screenshot-202402051745.webp

JavaScript 被混淆了,不过不要紧,稍微格式化后也能看。搜索 score 能找到分数变化部分的代码,手动给它加点分数,然后正常流程结束游戏就可以了(高亮的那一行是我自己补的):

This article is authored by Luoingly and is licensed under CC BY-NC 4.0

Permalink: https://luoingly.top/post/beginctf-2024-reverse-writeup/