2024年春秋杯网络安全联赛冬季赛

misc

简单算数

喂给GPT

image-20250117125105986

1
2
3
4
5
6
7
8
9
10
11
12
13
14
cipher_text = "ys~xdg/m@]mjkz@vl@z~lf>b"

def xor_decrypt(cipher, key):
    """对密文进行异或解密"""
    return "".join(chr(ord(c) ^ key[i % len(key)]) for i, c in enumerate(cipher))

# 尝试不同密钥长度
for key_len in range(1, 6):  # 假设密钥长度不超过5
    for key in range(256**key_len):  # 遍历所有可能的密钥
        key_bytes = [(key >> (8 * i)) & 0xFF for i in range(key_len)]
        plain_text = xor_decrypt(cipher_text, key_bytes)
        if plain_text.startswith("flag{") and plain_text.endswith("}"):
            print(f"密钥: {key_bytes}, 解密结果: {plain_text}")
            break

web

easy_flask

一把梭

1
2
pip install fenjing
fenjing webui

image-20250117131351469

crypto

通往哈希的旅程

image-20250117132228136

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
import hashlib

def crack_hash(target_hash):
    # 固定前缀为 188
    prefix = "188"
    # 遍历剩余的 8 位数字
    for i in range(100000000):  # 8 位数字
        # 将数字填充为 8 位,不足前面补 0
        suffix = f"{i:08d}"
        # 生成完整的电话号码
        phone_number = prefix + suffix
        # 计算哈希值
        hashed = hashlib.sha1(phone_number.encode()).hexdigest()
        # 检查是否匹配目标哈希值
        if hashed == target_hash:
            return phone_number
    return None

if __name__ == "__main__":
    # 给定的目标哈希值
    target_hash = "ca12fd8250972ec363a16593356abb1f3cf3a16d"
    # 调用破解函数
    result = crack_hash(target_hash)
    # 输出结果
    if result:
        print(f"找到的电话号码: {result}")
    else:
        print("未找到匹配的电话号码。")

Reverse

ko0h

32位,无壳,打开ida

看了一眼字符串

image-20250117181900352

明显的换表,看一眼表

image-20250117181940457

但是是假的

看见函数,存在花指令

image-20250117182012763

看一眼汇编主要存在的花就是

image-20250117182059899

全部nop掉就可以发现主要的加密逻辑在下面

image-20250117182326215

跟进去之后就会发现同样存在花指令,去掉之后

image-20250117182458555

然后双击

image-20250117182558483

很明显的密文,找一下加密逻辑

image-20250117182823240

RC4

image-20250117182805435

本以为密钥是

image-20250117182859582

但是我们跟踪过去发现真正的密钥

image-20250117182947058

这里注意都是存在花指令的,去除即可

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
#include<stdio.h>

/*
RC4初始化函数
*/
void rc4_init(unsigned char* s, unsigned char* key, unsigned long Len_k)
{
	int i = 0, j = 0;
	char k[256] = { 0 };
	unsigned char tmp = 0;
	for (i = 0; i < 256; i++) {
		s[i] = i;
		k[i] = key[i % Len_k];
	}
	for (i = 0; i < 256; i++) {
		j = (j + s[i] + k[i]) % 256;
		tmp = s[i];
		s[i] = s[j];
		s[j] = tmp;
	}
}

/*
RC4加解密函数
unsigned char* Data     加解密的数据
unsigned long Len_D     加解密数据的长度
unsigned char* key      密钥
unsigned long Len_k     密钥长度
*/
void rc4_crypt(unsigned char* Data, unsigned long Len_D, unsigned char* key, unsigned long Len_k) //加解密
{
	unsigned char s[256];
	rc4_init(s, key, Len_k);
	int i = 0, j = 0, t = 0;
	unsigned long k = 0;
	unsigned char tmp;
	for (k = 0; k < Len_D; k++) {
		i = (i + 1) % 256;
		j = (j + s[i]) % 256;
		tmp = s[i];
		s[i] = s[j];
		s[j] = tmp;
		t = ((s[i] + s[j]) % 256);
		Data[k] = Data[k] + s[t] ;
	}
}
int main()
{
//	密钥:key ='WangDingCUPKEY!!'
//密文:src=[0xC632A2F05BD9371D,0x3AA73E7E508CA730,0x1C6B85816B58C0BA,0x9742C18A7C80F54C]
	//字符串密钥
    unsigned char key[] = "DDDDAAAASSSS";
	unsigned long key_len = sizeof(key)-1;
	//数组密钥
//	unsigned char key[] = {0x92, 0x1C, 0x2B, 0x1F, 0xBA, 0xFB, 0xA2, 0xFF, 0x07, 0x69,0x7D, 0x77, 0x18, 0x8C};
//	unsigned long key_len = sizeof(key);

	//加解密数据
	unsigned char data[] = {0x18,0x9c,0x47,0x3d,0x3b,0xe1,0x29,0x27,0x9f,0x34,0x83,0xd5,0xed,0xb5,0x6e,0x59,0x7f,0xde,0x47,0xd7,0x65,0x3f,0x7a,0x33,0x5b,0x64,0xb6,0xfa,0x94,0x55,0x87,0x42,0x20,0x6,0xc,0x69,0xfe,0x72,0xa9,0xe4,0xd1,0x7c};
	//加解密
	rc4_crypt(data, sizeof(data), key, key_len);

	for (int i = 0; i < sizeof(data); i++)
	{
		printf("%c", data[i]);
	}
	printf("\n");
	return 0;
}

ezre

回头复现的,难点在于整个环境必须在Linux下运行,再就是爆破脚本的编写

exp:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
#include<stdio.h> 
#include <stdlib.h>
int main(){
	
srand(3021285795);	
unsigned char ida_chars[42] = {
    0x5C, 0x76, 0x4A, 0x78, 0x15, 0x62, 0x05, 0x7C, 0x6B, 0x21, 0x40, 0x66, 0x5B, 0x1A, 0x48, 0x7A, 
    0x1E, 0x46, 0x7F, 0x28, 0x02, 0x75, 0x68, 0x2A, 0x34, 0x0C, 0x4B, 0x1D, 0x3D, 0x2E, 0x6B, 0x7A, 
    0x17, 0x45, 0x07, 0x75, 0x47, 0x27, 0x39, 0x78, 0x61, 0x0B
};	
	
for (int i= 0;i<42;i++) {
		
    printf("%c",(rand() % 127)^ida_chars[i]);
}	
	
	
	
	return 0 ;
}

解密脚本没啥说的就是种子的爆破确实整不出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
#include <stdio.h>
#include <stdlib.h>

int main()
{
    unsigned char Enc[] = {
        0x5C, 0x76, 0x4A, 0x78, 0x15, 0x62, 0x05, 0x7C, 0x6B, 0x21,
        0x40, 0x66, 0x5B, 0x1A, 0x48, 0x7A, 0x1E, 0x46, 0x7F, 0x28,
        0x02, 0x75, 0x68, 0x2A, 0x34, 0x0C, 0x4B, 0x1D, 0x3D, 0x2E,
        0x6B, 0x7A, 0x17, 0x45, 0x07, 0x75, 0x47, 0x27, 0x39, 0x78,
        0x61, 0x0B
    };

    // Crack!!!
    for (long long i = 0xB0000000; i < 0xC0000000; i++)
    {
        srand((unsigned int)i);
        int randlist[42] = {0};
        for (int j = 0; j < 42; j++)
            randlist[j] = rand() % 127;

        if (randlist[0] == (0x5C ^ 'f') &&
            randlist[1] == (0x76 ^ 'l') &&
            randlist[2] == (0x4A ^ 'a') &&
            randlist[3] == (0x78 ^ 'g') &&
            randlist[4] == (0x15 ^ '{'))
        {
            printf("Seed found: %lld\n", i);
        }
    }

  //  getchar();
    return 0;
}

image-20250118103249753