imaginaryCTF round46

Misc

Spooky Sound

wav,先拖下来Audacity看一眼频谱,果然就有flag。

flag

Last Minute

c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>

int main(void) {
    srand(time(NULL));

    const char* flag = "[redacted]";

    for(int i = 0; i < strlen(flag); i++) {
        printf("%02x", flag[i] ^ (rand() % 256));
    }

    printf("\n");

    return 0;
}

直截了当的爆破。

c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <time.h>

int main(void) {
    long int flag[]={0x94,0x1e,0x94,0xd2,0x87,0xfa,0xb0,0x58,0xfd,0xe5,0xb6,0x0a,0x1b,0xd5,0x39,0xee,0x4d,0x55,0xb7,0x08,0x70,0xf1,0x29,0xba,0x6b,0x2a,0x76,0x71,0x76,0x58,0xe4,0xce,0xea,0x1c,0xc0,0xb2,0x5d,0x01,0x84,0xff,0x7c,0x2c,0x4c,0xb4,0x8b,0xe6,0x6e,0x28,0xa4,0xd5,0xed,0x96,0x09,0xfc,0xc4,0xc8,0x6f};

    int len = sizeof(flag) / sizeof(flag[0]);
    char decrypted[len + 1]; 

    for (long int seed = 1715867640; seed < 1715878940; seed++) {
        srand(seed);

        for (int j = 0; j < len; j++) {
            decrypted[j] = flag[j] ^ (rand() % 256);
        }
        decrypted[len] = '\0'; 

        if (strstr(decrypted, "ictf") != NULL) {
            printf("Seed: %ld\n", seed);
            printf("Decrypted string: %s\n", decrypted);
        }
    }

    return 0;
}

Crypto

xorsar

hbugzchu^gmhqqhof^guv>^0e8c3028|

实验可知\(cipher[i] = flag[i] \oplus 1\),xor回去即可。

Random Base

OED8WECRFCS6/TC9$DUICGPEFQEGS6BM6*.CN-DZ2

字母特征猜出是base45。

Strange Base

aQ==Yw==dA==Zg==ew==dg==Mw==cg==eQ==Xw==NQ==Nw==cg==NA==bg==Zw==Mw==Xw==Yg==NA==cw==Mw==Xw==Ng==NA==IQ==fQ==

很容易看出来是逐字符的base64,4字一组decode即可。

So much XOR

Python
1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import xor # pwntools xor function
import random
flag = open('flag.txt','rb').read()
key1 = b'supersecurekey'
key2=b'verysecretkey'
iters1 = random.randint(1,100)
iters2 = random.randint(1,100)
enc = flag
for i in range(iters1):
    enc = xor(enc,key1)
    for j in range(iters2):
        enc = xor(enc,key2)

# b'\x1a\x16\x04\x03\t\x00\n<\x18\x07\x06\x03:\x00\x16\x01/\x16\x1d,\t\n\x01\x06\t\x0e\x18'

异或满足交换律和结合律,并且和同一个数异或两次会还原自身,所以做的这么多异或无非就是异或了0次或者1次。

Python
1
2
3
4
5
6
7
8
from pwn import xor # pwntools xor function

cipher = b'\x1a\x16\x04\x03\t\x00\n<\x18\x07\x06\x03:\x00\x16\x01/\x16\x1d,\t\n\x01\x06\t\x0e\x18'
key1 = b'supersecurekey'
key2=b'verysecretkey'
print(xor(cipher, key1))
print(xor(cipher, key2))
print(xor(xor(cipher, key1),key2))

Reverse

Tape Reader

程序会简单地读取纸带做对应操作。纸带和操作都明确给出了,逆操作即可。需要注意的是,Binary Ninja似乎解析纸带数组时会出现错误,这部分最好用IDA去做。

c
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
#include <stdio.h>
#include <string.h>

#define SIZE 21

int main() {
    char command[] = "aaiasiasassaiaasaiaiaaasssiasisaasiasissaiaasaiasisaisaisaiiaasaiassissaiasii";
    int arr[SIZE] = {0x81, 0x6a, 0x7f, 0x6b, 0x78, 0x75, 0x6e, 0x7a, 0x67, 0x5e, 0x83, 0x6a, 0x67, 0x70, 0x61, 0x6f, 0x81, 0x73, 0x6f, 0x77, 0x74};
    int v4 = 21;
    int i, len = strlen(command);

    for (i = len - 1; i >= 0; --i) {
        switch (command[i]) {
            case 'a':
                arr[v4] -= 5;
                break;
            case 'i':
                --v4;
                break;
            case 's':
                arr[v4] += 3;
                break;
            case 'x':
                arr[v4] ^= arr[v4 + 1];
                break;
            default:
                continue;
        }
    }

    for (i = 0; i < SIZE; ++i) {
        printf("0x%x", arr[i]);
    }
    
    return 0;
}

Writeups
#CTF #Crypto
imaginaryCTF round46
https://eupho.me/1eb1cc3e.html
作者
Lambert Swizzer
发布于
2024年6月1日
许可协议