京麒ctf 2025热身赛re wp

clev1L Lv3

2025-04-23 11:18:55 2025-04-23 11:18:55 Created 2025-04-23 11:36:55 2025-04-23 11:36:55 Updated 705 Words 3 Mins

re1

puts密文后爆破就行

from string import printable
#3456789:;<=>?@AA3456789:;<=>?@AB
#3456789:;<=>?@AB3456789:;<=>?@AB
enc=[ord(i) for i in "cge87k?9<>?@=pss393=>;8@:Cp@DAuH"]

import subprocess

executable_path = r"C:\Users\86139\Desktop\download\re2.exe"  # 替换为您的可执行文件的路径
base=""
for i in range(32):
    for j in printable:
        try_data = (base+j).ljust(32,"0")
        print(try_data)
        process = subprocess.Popen(executable_path, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
        input_bytes = try_data.encode('utf-8')  # 将输入数据转换为字节
        process.stdin.write(input_bytes)
        process.stdin.flush()  # 刷新输入缓冲区
        # 获取输出
        output, error = process.communicate()
        s = list(output.strip(b'Enter flag: ').strip(b'\r\n'))
        if i<16:
            if s[15-i]==enc[15-i]:
                base=base+j
                print(base)
                break
        else:
            if s[31-(i-16)]==enc[31-(i-16)]:
                base=base+j
                print(base)
                break

re2

实际只有一个异或，异或结果和输入前两位有关系

直接爆前2位就行了

import subprocess
printable="0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ!#$%&'()*+,-./:;<=>?@[\]^_`{|}~"
from tqdm import tqdm
executable_path = r"C:\Users\86139\Desktop\download\re1.exe"  # 替换为您的可执行文件的路径
for i in tqdm(printable):
    for j in printable:
        try_data = (i+j).ljust(42,"0")
        print(try_data)
        process = subprocess.Popen(executable_path, stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
        input_bytes = try_data.encode('utf-8')  # 将输入数据转换为字节
        process.stdin.write(input_bytes)
        process.stdin.flush()  # 刷新输入缓冲区
        # 获取输出
        output, error = process.communicate()
        s = output.decode('gbk')
        if "err" not in s:
            print(try_data,s)

显然得到前两位是fl

输入”fl”+”0”*40，然后拿到异或的结果与密文，就能异或得到flag

key="fl"+"0"*40
get=[0x00, 0xA1, 0xAA, 0x04, 0x57, 0xFB, 0xA3, 0x12, 0x0E, 0x45,
  0xD3, 0x8E, 0x42, 0xE9, 0x97, 0x71, 0x45, 0xEB, 0x96, 0x0B,
  0x54, 0x85, 0x67, 0xAA, 0x2E, 0x15, 0x03, 0x7E, 0xB3, 0xDB,
  0x8B, 0x6A, 0xA6, 0x3D, 0xCA, 0xE4, 0xB6, 0xD9, 0x9F, 0x0A,
  0x7E, 0x46]
enc=[0x00, 0xA1, 0xFB, 0x53, 0x1C, 0xFA, 0xF0, 0x1B, 0x06, 0x40,
  0xD4, 0x8C, 0x16, 0xF4, 0x90, 0x27, 0x42, 0xB9, 0x8B, 0x0F,
  0x02, 0xD7, 0x31, 0xB7, 0x26, 0x12, 0x06, 0x7E, 0xAE, 0xDF,
  0xDA, 0x68, 0xAF, 0x35, 0xCC, 0xB7, 0xB0, 0xD0, 0x9A, 0x59,
  0x2B, 0x0B]
for i in range(len(enc)):
    enc[i]^=get[i]^ord(key[i])
print("".join(map(chr,enc)))
#flag{1c98572d-7f7b-4fbf-8750-4a2986c695ce}

#搓算法像个糖批
def rol32(value, shift):
    shift %= 32  # 确保 shift 在 0-31 范围内
    return ((value << shift) | (value >> (32 - shift))) & 0xFFFFFFFF

test=[ord(i) for i in "428PbdFNWQZVTI6Q3lbx4Nu68zzCUbiVLxQzOUzuzU"]
print("2"*42)
v29=(test[1]<<8)|(test[0])
for i in range(len(test)):
    high=(v29 >> 2) ^ (v29 >> 3) ^ (v29 >> 1)
    # print(hex(high))
    low=v29
    temp = (high << 16) | low  # 拼接成 32 位
    di=(temp>>1)&0xffff
    cl=low&0xff
    cl = ((cl << 4)&0xff) | (cl >> 4)
    low=(cl|(low&0xff00))
    high=di
    # print(hex(low),hex(high))
    # print(hex(high))

    dl=low&0xff
    dl&=0x33
    dl<<=2
    dl&=0xff
    # print(hex(dl))
    cl=low&0xff
    cl>>=2
    cl&=0x33
    cl|=dl
    # print(hex(cl))

    low = (cl | (low & 0xff00))

    dl=low&0x55
    dl+=dl
    dl&=0xff
    # print(hex(dl))

    cl=low&0xff
    cl>>=1
    # print(hex(cl))
    cl&=0x55
    cl|=dl

    print(hex(cl),hex(high))
    test[i]^=cl
    v29=high

printhex(test)

Title: 京麒ctf 2025热身赛re wp
Author: clev1L
Created at : 2025-04-23 11:18:55
Updated at : 2025-04-23 11:36:55
Link: https://github.com/clev1l/2025/04/23/jqctf-2025热身赛re-wp/
License: This work is licensed under CC BY-NC-SA 4.0.

Comments

On this page

京麒ctf 2025热身赛re wp

re1
re2