real checkin xor

一个简单的异或

exp

1
2
3
4
5
enc = [7, 31, 56, 25, 23, 15, 91, 21, 49, 15, 33, 88, 26, 48, 60, 58, 4, 86, 36, 64, 23, 54, 63, 0, 54, 22, 6, 55, 59, 38, 108, 39, 45, 23, 102, 27, 11, 56, 32, 0, 82, 24]
key = 'ez_python_xor_reverse'
flag = ''.join([chr(enc[i] ^ ord(key[i % len(key)])) for i in range(len(enc))])
print(flag)
#begin{3z_PY7hoN_r3V3rSE_For_TH3_Be9inNEr!}

flag

begin{3z_PY7hoN_r3V3rSE_For_TH3_Be9inNEr!}

xor

搞清楚调用就比较简单了,把变量名修改一下更清晰
2024-02-14T221507
2024-02-14T221537
类似的操作,搞清楚后反着逆回去就行

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
enc = "`agh{^bvuwTooahlYocPtmyiijj|ek'p"
key1 = '63290794207715587679621386735000'
key2 = '41803873625901363092606632787947'
a = [ord(enc[i]) for i in range(16)]
b = [ord(enc[i]) for i in range(16, 32)]
key11 = [ord(key1[i]) for i in range(16)]
key11.append(0)
key12 = [ord(key1[i]) for i in range(16, 32)]
key12.append(0)
key21 = [ord(key2[i]) for i in range(16)]
key21.append(0)
key22 = [ord(key2[i]) for i in range(16, 32)]
key22.append(0)
print(a)
print(b)
print(key11)
print(key12)
print(key21)
print(key22)
for i in range(16):
    a[i] ^= key22[16-i]
    b[i] ^= key21[16-i]
for i in range(16):
    a[i] ^= key21[16-i]
    b[i] ^= key22[16-i]
for i in range(16):
    a[i] ^= key22[i]
    b[i] ^= key21[i]
for i in range(16):
    a[i] ^= key21[i]
    b[i] ^= key22[i]
for i in range(16):
    a[i] ^= key11[16-i]
    b[i] ^= key12[16-i]
for i in range(16):
    a[i] ^= key12[16-i]
    b[i] ^= key11[16-i]
for i in range(16):
    a[i] ^= key11[i]
    b[i] ^= key12[i]
for i in range(16):
    a[i] ^= key12[i]
    b[i] ^= key11[i]
flag = ''.join([chr(a[i]) for i in range(16)] + [chr(b[i]) for i in range(16)])
print(flag)
#flag{Virus_gonna_be_terminated!}

flag

begin{Virus_gonna_be_terminated!}

红白机

给出如下代码,有点像是汇编

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
LDA #$01
LDX #$00
LDY #$FF
d:
LDA #$01
STA $200,X
INX
CPX #$ff
BNE d
LDX #$00
STA $2FF,X
e:
LDA #$01
STA $300,X
INX
CPX #$ff
BNE e
LDX #$00
STA $3FF,X
f:
LDA #$01
STA $400,X
INX
CPX #$ff
BNE f
LDX #$00
STA $4FF,X
g:
LDA #$01
STA $500,X
INX
CPX #$ff
BNE g
LDX #$00
STA $5FF,X
LDX #$01
LDA #$00
STA $200,X
INX
STA $200,X
LDX #$21
STA $200,X
LDX #$40
STA $200,X
INX
STA $200,X
INX
STA $200,X
INX
LDX #$61
STA $200,X
LDX #$81
STA $200,X
LDX #$04
STA $200,X
LDX #$24
STA $200,X
LDX #$44
STA $200,X
LDX #$64
STA $200,X
LDX #$84
STA $200,X
LDX #$46
STA $200,X
INX
STA $200,X
INX
STA $200,X
LDX #$66
STA $200,X
INX
INX
STA $200,X
LDX #$86
STA $200,X
INX
STA $200,X
INX
STA $200,X
INX
STA $200,X
LDX #$4B
STA $200,X
INX
STA $200,X
INX
STA $200,X
LDX #$6B
STA $200,X
INX
INX
STA $200,X
LDX #$8B
STA $200,X
INX
STA $200,X
INX
STA $200,X
LDX #$AD
STA $200,X
LDX #$CB
STA $200,X
INX
STA $200,X
INX
STA $200,X
LDX #$10
STA $200,X
INX
STA $200,X
LDX #$30
STA $200,X
LDX #$50
STA $200,X
LDX #$70
STA $200,X
LDX #$6F
STA $200,X
LDX #$90
STA $200,X
LDX #$B0
STA $200,X
LDX #$D0
STA $200,X
INX
STA $200,X
n:
LDX #$34
STA $200,X
LDX #$53
STA $200,X
INX
INX
STA $200,X
LDX #$73
STA $200,X
LDX #$93
STA $200,X
INX
STA $200,X
INX
STA $200,X
LDX #$B3
STA $200,X
INX
INX
STA $200,X
LDX #$D4
STA $200,X
LDX #$37
STA $200,X
INX
STA $200,X
INX
STA $200,X
LDX #$57
STA $200,X
LDX #$77
STA $200,X
INX 
STA $200,X
LDX #$99
STA $200,X
LDX #$B9
STA $200,X
LDX #$D7
STA $200,X
INX
STA $200,X
LDX #$DC
STA $200,X
LDX #$BB
STA $200,X
INX
INX
STA $200,X
LDX #$9B
STA $200,X
INX
INX
STA $200,X
LDX #$7B
STA $200,X
INX
INX
STA $200,X
LDX #$5B
STA $200,X
INX
INX
STA $200,X
LDX #$3C
STA $200,X
LDX #$00
STA $300,X
INX
STA $300,X
INX
STA $300,X
LDX #$22
STA $300,X
LDX #$42
STA $300,X
LDX #$41
STA $300,X
LDX #$61
STA $300,X
LDX #$60
STA $300,X
LDX #$80
STA $300,X
LDX #$A0
STA $300,X
INX
STA $300,X
INX
STA $300,X
INX
INX
STA $300,X
INX
STA $300,X
INX
STA $300,X
INX
INX
STA $300,X
INX
STA $300,X
INX
STA $300,X
INX
INX
STA $300,X
INX
STA $300,X
INX
STA $300,X
INX
INX
STA $300,X
INX
STA $300,X
INX
STA $300,X
INX
INX
STA $300,X
INX
STA $300,X
INX
STA $300,X
INX
INX
INX
STA $300,X
LDX #$08
STA $300,X
INX
STA $300,X
INX
STA $300,X
LDX #$29
STA $300,X
LDX #$49
STA $300,X
LDX #$69
STA $300,X
LDX #$89
STA $300,X
LDX #$10
STA $300,X
LDX #$30
STA $300,X
LDX #$50
STA $300,X
LDX #$70
STA $300,X
LDX #$90
STA $300,X
LDX #$14
STA $300,X
INX
STA $300,X
INX
STA $300,X
LDX #$34
STA $300,X
INX
INX
STA $300,X
LDX #$54
STA $300,X
INX
INX
STA $300,X
LDX #$74
STA $300,X
INX
INX
STA $300,X
LDX #$94
STA $300,X
INX
INX
STA $300,X
LDX #$18
STA $300,X
INX
INX
STA $300,X
LDX #$38
STA $300,X
INX
INX
STA $300,X
LDX #$58
STA $300,X
INX
INX
STA $300,X
LDX #$78
STA $300,X
INX
INX
STA $300,X
LDX #$98
STA $300,X
INX
INX
STA $300,X
LDX #$1C
STA $300,X
INX
STA $300,X
INX
STA $300,X
LDX #$3C
STA $300,X
LDX #$5C
STA $300,X
INX
STA $300,X
INX
STA $300,X
LDX #$7C
STA $300,X
LDX #$9C
STA $300,X
LDX #$BC
STA $300,X
INX
STA $300,X
INX
STA $300,X
LDX #$C0
STA $400,X
INX
STA $400,X
INX
STA $400,X
INX
INX
STA $400,X
INX
STA $400,X
INX
STA $400,X
INX
INX
STA $400,X
INX
STA $400,X
LDX #$A4
STA $400,X
INX
INX
STA $400,X
LDX #$84
STA $400,X
INX
INX
STA $400,X
LDX #$64
STA $400,X
INX
INX
STA $400,X
INX
INX
INX
STA $400,X
INX
STA $400,X
LDX #$08
STA $400,X
INX
STA $400,X
LDX #$29
STA $400,X
LDX #$49
STA $400,X
LDX #$89
STA $400,X
LDX #$A9
STA $400,X

这是一个6502汇编代码,可以用6502在线汇编器来运行
2024-02-14T222338

flag

begin{6502_I_Love_u}

俄语学习

直接看主函数,有一堆的控制流
2024-03-12T170115
是一堆俄语阅读理解,尝试通过调试跳过
先在第一个jz跳转下断点,调试,然后在第一个jz跳转地址右键 set ip
2024-03-12T171000
来到最后一个跳转,在正确跳转的位置也set ip
2024-03-12T171353
然后一直F8,有提示
2024-03-12T171532
输入完跳转到 sub_71AFAA 函数
F7进入看看,几个关键函数
2024-03-12T171950
2024-03-12T171917
2024-03-12T172054
input+byte_7AAEE8-112之后和密文直接比较密文是+i&[@Y:g8[&l$f8S8v$Y&e>{
我们去找找 byte_7AAEE8是什么
看一下交叉引用
2024-03-12T173000
是中间某道题用到的数据,为unk_798E68 - 114
2024-03-12T173219
把unk_798E68 dump出来,写脚本梭
2024-03-12T173504

exp

1
2
3
4
5
source = [0xA7, 0xDF, 0xA7, 0xD6, 0xA7, 0xE9, 0xA7, 0xD6, 0xA7, 0xD4, 0xA7, 0xE0, 0xA7, 0xDF, 0xA7, 0xD6, 0xA7, 0xE9, 0xA7, 0xD6, 0xA7, 0xD4, 0xA7, 0xE0, 0xA7, 0xDF, 0xA7, 0xD6, 0xA7, 0xE9, 0xA7, 0xD6, 0xA7, 0xD4, 0xA7, 0xE0]
enc = '+i&[@Y:g8[&l$f8S8v$Y&e>{'
flag = ''.join([chr(ord(enc[i]) + 112 - (source[i] - 114))for i in range(len(enc))]) 
print(flag)
#flag{Russian_is_so_easy}

flag

begin{Russian_is_so_easy}

ezpython

python 3.8 打包的exe,先用pyinstxtractor 解包
2024-03-14T122659
uncompyle6 反编译ezpython.pyc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# uncompyle6 version 3.9.0
# Python bytecode version base 3.8.0 (3413)
# Decompiled from: Python 3.9.11 (tags/v3.9.11:2de452f, Mar 16 2022, 14:33:45) [MSC v.1929 64 bit (AMD64)]
# Embedded file name: ezpython.py
from gmssl import sm4
from secret import key, enc
import base64

def pad_pkcs7(data):
    """PKCS#7填充"""
    padding_len = 16 - len(data) % 16
    padding = bytes([padding_len] * padding_len)
    return data + padding


def unpad_pkcs7(padded_data):
    """PKCS#7去填充"""
    padding_len = padded_data[-1]
    return padded_data[:-padding_len]


class SM4:

    def __init__(self):
        self.gmsm4 = sm4.CryptSM4()

    def encryptSM4(self, encrypt_key, value):
        gmsm4 = self.gmsm4
        gmsm4.set_key(encrypt_key.encode(), sm4.SM4_ENCRYPT)
        padded_value = pad_pkcs7(value.encode())
        encrypt_value = gmsm4.crypt_ecb(padded_value)
        return base64.b64encode(encrypt_value)


if __name__ == '__main__':
    print('请输入你的flag:')
    flag = input()
    sm4_instance = SM4()
    flag_1 = sm4_instance.encryptSM4(key, flag)
    if flag_1 != enc:
        print('flag错误!!')
    else:
        print('恭喜你获得flag😊😀')

可以看到是一个sm4加密,key和enc在secret里
去PYZ-00.pyz_extracted里反编译secret.pyc(python版本不对这里就会是空的)

1
2
3
4
5
# Source Generated with Decompyle++
# File: secret.pyc (Python 3.8)

key = 'BeginCTFBeginCTF'
enc = b'JmjJEAJGMT6F9bmC+Vyxy8Z1lpfaJzdEX6BGG/qgqUjUpQaYSON1CnZyX9YXTEClSRYm7PFZtGxmJw6LPuw1ww=='

直接调用gmssl库解密,发现解不出来,可能是魔改了
看看PYZ-00.pyz_extracted\gmssl\sm4.pyc是不是被魔改了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
# uncompyle6 version 3.9.0
# Python bytecode version base 3.8.0 (3413)
# Decompiled from: Python 3.9.11 (tags/v3.9.11:2de452f, Mar 16 2022, 14:33:45) [MSC v.1929 64 bit (AMD64)]
# Embedded file name: gmssl\sm4.py
import copy
from .func import xor, rotl, get_uint32_be, put_uint32_be, bytes_to_list, list_to_bytes, pkcs7_padding, pkcs7_unpadding, zero_padding, zero_unpadding
SM4_BOXES_TABLE = [
 214,  144,  233,  254,  204,  225,  61,  183,  22,  182,  20,  194,  40,  251,  44, 
 5,  43,  103,  154,  118,  42,  190,  4,  195,  170,  68,  19,  38,  73,  134, 
 6,  153,  156,  66,  80,  244,  145,  239,  152,  122,  51,  84,  11,  67,  237, 
 207,  172,  98,  228,  179,  28,  169,  201,  8,  232,  149,  128,  223,  148,  250, 
 117,  143,  63,  166,  71,  7,  167,  252,  243,  115,  23,  186,  131,  89,  60, 
 25,  230,  133,  79,  168,  104,  107,  129,  178,  113,  100,  218,  139,  248,  235, 
 15,  75,  112,  86,  157,  53,  30,  36,  14,  94,  99,  88,  209,  162,  37, 
 34,  124,  59,  1,  33,  120,  135,  212,  0,  70,  87,  159,  211,  39,  82, 
 76,  54,  2,  231,  160,  196,  200,  158,  234,  191,  138,  210,  64,  199,  56, 
 181,  163,  247,  242,  206,  249,  97,  21,  161,  224,  174,  93,  164,  155,  52, 
 26,  85,  173,  147,  50,  48,  245,  140,  177,  227,  29,  246,  226,  46,  130, 
 102,  202,  96,  192,  41,  35,  171,  13,  83,  78,  111,  213,  219,  55,  69, 
 222,  253,  142,  47,  3,  255,  106,  114,  109,  108,  91,  81,  141,  27,  175, 
 146,  187,  221,  188,  127,  17,  217,  92,  65,  31,  16,  90,  216,  10,  193, 
 49,  136,  165,  205,  123,  189,  45,  116,  208,  18,  184,  229,  180,  176,  137, 
 105,  151,  74,  12,  150,  119,  126,  101,  185,  241,  9,  197,  110,  198,  132, 
 24,  240,  125,  236,  58,  220,  77,  32,  121,  238,  95,  62,  215,  203,  57, 
 72]
SM4_FK = [
 2746333894, 1453994832, 1736282519, 2993693404]
SM4_CK = [
 462357,  472066609,  943670861,  1415275113, 
 1886879365,  2358483617,  2830087869,  3301692121, 
 3773296373,  4228057617,  404694573,  876298825, 
 1347903077,  1819507329,  2291111581,  2762715833, 
 3234320085,  3705924337,  4177462797,  337322537, 
 808926789,  1280531041,  1752135293,  2223739545, 
 2695343797,  3166948049,  3638552301,  4110090761, 
 269950501,  741554753,  1213159005,  1684763257]
SM4_ENCRYPT = 0
SM4_DECRYPT = 1
PKCS7 = 0
ZERO = 1

class CryptSM4(object):

    def __init__(self, mode=SM4_ENCRYPT, padding_mode=PKCS7):
        self.sk = [0] * 32
        self.mode = mode
        self.padding_mode = padding_mode

    @classmethod
    def _round_key(cls, ka):
        b = [0, 0, 0, 0]
        a = put_uint32_be(ka)
        b[0] = SM4_BOXES_TABLE[a[0]]
        b[1] = SM4_BOXES_TABLE[a[1]]
        b[2] = SM4_BOXES_TABLE[a[2]]
        b[3] = SM4_BOXES_TABLE[a[3]]
        bb = get_uint32_be(b[0:4])
        rk = bb ^ rotl(bb, 13) ^ rotl(bb, 23)
        return rk

    @classmethod
    def _f(cls, x0, x1, x2, x3, rk):

        def _sm4_l_t(ka):
            b = [
             0, 0, 0, 0]
            a = put_uint32_be(ka)
            b[0] = SM4_BOXES_TABLE[a[0]]
            b[1] = SM4_BOXES_TABLE[a[1]]
            b[2] = SM4_BOXES_TABLE[a[2]]
            b[3] = SM4_BOXES_TABLE[a[3]]
            bb = get_uint32_be(b[0:4])
            c = bb ^ rotl(bb, 2) ^ rotl(bb, 10) ^ rotl(bb, 18) ^ rotl(bb, 24)
            return c

        return x0 ^ _sm4_l_t(x1 ^ x2 ^ x3 ^ rk)

    def set_key(self, key, mode):
        key = bytes_to_list(key)
        key = [k ^ 37 for k in key]
        MK = [0, 0, 0, 0]
        k = [0] * 36
        MK[0] = get_uint32_be(key[0:4])
        MK[1] = get_uint32_be(key[4:8])
        MK[2] = get_uint32_be(key[8:12])
        MK[3] = get_uint32_be(key[12:16])
        k[0:4] = xor(MK[0:4], SM4_FK[0:4])
        for i in range(32):
            k[i + 4] = k[i] ^ self._round_key(k[i + 1] ^ k[i + 2] ^ k[i + 3] ^ SM4_CK[i])
            self.sk[i] = k[i + 4]
        else:
            self.mode = mode
            if mode == SM4_DECRYPT:
                for idx in range(16):
                    t = self.sk[idx]
                    self.sk[idx] = self.sk[31 - idx]
                    self.sk[31 - idx] = t

    def one_round(self, sk, in_put):
        out_put = []
        ulbuf = [
         0] * 36
        ulbuf[0] = get_uint32_be(in_put[0:4])
        ulbuf[1] = get_uint32_be(in_put[4:8])
        ulbuf[2] = get_uint32_be(in_put[8:12])
        ulbuf[3] = get_uint32_be(in_put[12:16])
        for idx in range(32):
            ulbuf[idx + 4] = self._f(ulbuf[idx], ulbuf[idx + 1], ulbuf[idx + 2], ulbuf[idx + 3], sk[idx])
        else:
            out_put += put_uint32_be(ulbuf[35])
            out_put += put_uint32_be(ulbuf[34])
            out_put += put_uint32_be(ulbuf[33])
            out_put += put_uint32_be(ulbuf[32])
            return out_put

    def crypt_ecb(self, input_data):
        input_data = bytes_to_list(input_data)
        if self.mode == SM4_ENCRYPT:
            if self.padding_mode == PKCS7:
                input_data = pkcs7_padding(input_data)
            else:
                if self.padding_mode == ZERO:
                    input_data = zero_padding(input_data)
        else:
            length = len(input_data)
            i = 0
            output_data = []
            while True:
                if length > 0:
                    output_data += self.one_round(self.sk, input_data[i:i + 16])
                    i += 16
                    length -= 16

        if self.mode == SM4_DECRYPT:
            if self.padding_mode == PKCS7:
                return list_to_bytes(pkcs7_unpadding(output_data))
            if self.padding_mode == ZERO:
                return list_to_bytes(zero_unpadding(output_data))
        return list_to_bytes(output_data)

    def crypt_cbc(self, iv, input_data):
        i = 0
        output_data = []
        tmp_input = [0] * 16
        iv = bytes_to_list(iv)
        if self.mode == SM4_ENCRYPT:
            input_data = pkcs7_padding(bytes_to_list(input_data))
            length = len(input_data)
            while True:
                if length > 0:
                    tmp_input[0:16] = xor(input_data[i:i + 16], iv[0:16])
                    output_data += self.one_round(self.sk, tmp_input[0:16])
                    iv = copy.deepcopy(output_data[i:i + 16])
                    i += 16
                    length -= 16

        else:
            return list_to_bytes(output_data)
            length = len(input_data)
            while True:
                if length > 0:
                    output_data += self.one_round(self.sk, input_data[i:i + 16])
                    output_data[i:i + 16] = xor(output_data[i:i + 16], iv[0:16])
                    iv = copy.deepcopy(input_data[i:i + 16])
                    i += 16
                    length -= 16

        return list_to_bytes(pkcs7_unpadding(output_data))

可以发现是set_key函数被魔改了,多了一行异或
解密的时候加一下

exp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
from gmssl import sm4
import base64

def pad_pkcs7(data):
    """PKCS#7填充"""
    padding_len = 16 - len(data) % 16
    padding = bytes([padding_len] * padding_len)
    return data + padding


def unpad_pkcs7(padded_data):
    """PKCS#7去填充"""
    padding_len = padded_data[-1]
    return padded_data[:-padding_len]


class SM4:

    def __init__(self):
        self.gmsm4 = sm4.CryptSM4()

    def decryptSM4(self, decrypt_key, value):
        gmsm4 = self.gmsm4
        gmsm4.set_key(decrypt_key.encode(), sm4.SM4_DECRYPT)
        padded_value = pad_pkcs7(value)
        decrypt_value = gmsm4.crypt_ecb(padded_value)
        return decrypt_value.decode()
key1 = 'BeginCTFBeginCTF'
enc = b'JmjJEAJGMT6F9bmC+Vyxy8Z1lpfaJzdEX6BGG/qgqUjUpQaYSON1CnZyX9YXTEClSRYm7PFZtGxmJw6LPuw1ww=='
key = ''.join([chr(ord(i) ^ 37) for i in key1])
sm4_instance = SM4()
flag = sm4_instance.decryptSM4(key, base64.b64decode(enc))
print(flag)
#flag{Pay_M0re_@ttention_to_th3_key!!}

flag

begin{Pay_M0re_@ttention_to_th3_key!!}

stick game

js逆向,看看index.js
找一下关键字 score
2024-03-14T131651
找到可能是初始化的地方这个计算出来是0,直接改成1337427试试
2024-03-14T131721
随便玩一下就出flag
2024-03-14T131905

flag

begin{y0u_re4l1y_g07_1337427_6b910ec24c42f540f822ed6d6b5d5ee0}

superguesser

直接动调,定位到sub_401530这里有个字符串

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
.text:000000000040155B mov     byte ptr [rbp-60h], 51h ; 'Q'
.text:000000000040155F mov     byte ptr [rbp-5Fh], 51h ; 'Q'
.text:0000000000401563 mov     byte ptr [rbp-5Eh], 52h ; 'R'
.text:0000000000401567 mov     byte ptr [rbp-5Dh], 5Fh ; '_'
.text:000000000040156B mov     byte ptr [rbp-5Ch], 59h ; 'Y'
.text:000000000040156F mov     byte ptr [rbp-5Bh], 43h ; 'C'
.text:0000000000401573 mov     byte ptr [rbp-5Ah], 5Dh ; ']'
.text:0000000000401577 mov     byte ptr [rbp-59h], 5Fh ; '_'
.text:000000000040157B mov     byte ptr [rbp-58h], 59h ; 'Y'
.text:000000000040157F mov     byte ptr [rbp-57h], 49h ; 'I'
.text:0000000000401583 mov     byte ptr [rbp-56h], 5Ah ; 'Z'
.text:0000000000401587 mov     byte ptr [rbp-55h], 59h ; 'Y'
.text:000000000040158B mov     byte ptr [rbp-54h], 56h ; 'V'
.text:000000000040158F mov     byte ptr [rbp-53h], 2Eh ; '.'
.text:0000000000401593 mov     byte ptr [rbp-52h], 26h ; '&'
.text:0000000000401597 mov     byte ptr [rbp-51h], 1Dh
.text:000000000040159B mov     byte ptr [rbp-50h], 2Ah ; '*'
.text:000000000040159F mov     byte ptr [rbp-4Fh], 37h ; '7'
.text:00000000004015A3 mov     byte ptr [rbp-4Eh], 1Ah
.text:00000000004015A7 mov     byte ptr [rbp-4Dh], 27h ; '''
.text:00000000004015AB mov     byte ptr [rbp-4Ch], 29h ; ')'
.text:00000000004015AF mov     byte ptr [rbp-4Bh], 17h
.text:00000000004015B3 mov     byte ptr [rbp-4Ah], 28h ; '('
.text:00000000004015B7 mov     byte ptr [rbp-49h], 24h ; '$'
.text:00000000004015BB mov     byte ptr [rbp-48h], 2Ah ; '*'
.text:00000000004015BF mov     byte ptr [rbp-47h], 38h ; '8'
.text:00000000004015C3 mov     byte ptr [rbp-46h], 25h ; '%'
.text:00000000004015C7 mov     byte ptr [rbp-45h], 21h ; '!'
.text:00000000004015CB mov     byte ptr [rbp-44h], 3Dh ; '='
.text:00000000004015CF mov     byte ptr [rbp-43h], 0Fh
.text:00000000004015D3 mov     byte ptr [rbp-42h], 32h ; '2'
.text:00000000004015D7 mov     byte ptr [rbp-41h], 3Ah ; ':'
.text:00000000004015DB mov     byte ptr [rbp-40h], 3Ch ; '<'
.text:00000000004015DF mov     byte ptr [rbp-3Fh], 3Dh ; '='
.text:00000000004015E3 mov     byte ptr [rbp-3Eh], 36h ; '6'
.text:00000000004015E7 mov     byte ptr [rbp-3Dh], 33h ; '3'
.text:00000000004015EB mov     byte ptr [rbp-3Ch], 2Ah ; '*'
.text:00000000004015EF mov     byte ptr [rbp-3Bh], 0

直接把这个字符串dump出来

1
enc = [0x51, 0x51, 0x52, 0x5F, 0x59, 0x43, 0x5D, 0x5F, 0x59, 0x49, 0x5A, 0x59, 0x56, 0x2E, 0x26, 0x1D, 0x2A, 0x37, 0x1A, 0x27, 0x29, 0x17, 0x28, 0x24, 0x2A, 0x38, 0x25, 0x21, 0x3D, 0x0F, 0x32, 0x3A, 0x3C, 0x3D, 0x36, 0x33, 0x2A, 0]

既然题目叫superguesser,那就猜一下

1
2
3
enc = [0x51, 0x51, 0x52, 0x5F, 0x59, 0x43, 0x5D, 0x5F, 0x59, 0x49, 0x5A, 0x59, 0x56, 0x2E, 0x26, 0x1D, 0x2A, 0x37, 0x1A, 0x27, 0x29, 0x17, 0x28, 0x24, 0x2A, 0x38, 0x25, 0x21, 0x3D, 0x0F, 0x32, 0x3A, 0x3C, 0x3D, 0x36, 0x33, 0x2A, 0]
print(0x51 ^ ord('b'),0x51 ^ ord('e'),0x52 ^ ord('g'),0x5F ^ ord('i'),0x59 ^ ord('n'),0x43 ^ ord('{'))
#51 52 53 54 55 56

应该就是异或(51+i)

exp

1
2
3
4
5
6
enc = [0x51, 0x51, 0x52, 0x5F, 0x59, 0x43, 0x5D, 0x5F, 0x59, 0x49, 0x5A, 0x59, 0x56, 0x2E, 0x26, 0x1D, 0x2A, 0x37, 0x1A, 0x27, 0x29, 0x17, 0x28, 0x24, 0x2A, 0x38, 0x25, 0x21, 0x3D, 0x0F, 0x32, 0x3A, 0x3C, 0x3D, 0x36, 0x33, 0x2A]
print(0x51 ^ ord('b'),0x51 ^ ord('e'),0x52 ^ ord('g'),0x5F ^ ord('i'),0x59 ^ ord('n'),0x43 ^ ord('{'))
flag = ''.join([chr(enc[i] ^ 51 + i) for i in range(len(enc))])
print(flag)
#51 52 53 54 55 56
#begin{debugging_is_an_anathor_choice}

flag

begin{debugging_is_an_anathor_choice}