2024春秋杯冬季赛Day3

12 Misc 音频的秘密

Deepsound弱密码123，直接猜到了

然后png头明文攻击

.\bkcrack.exe -C flag.zip -c flag.png -p 1.txt -o 0

bkcrack 1.7.1 - 2024-12-21

[16:30:13] Z reduction using 9 bytes of known plaintext

100.0 % (9 / 9)

[16:30:13] Attack on 734325 Z values at index 6

Keys: 29d29517 0fa535a9 abc67696

20.4 % (150044 / 734325)

Found a solution. Stopping.

You may resume the attack with the option: –continue-attack 150044

[16:30:52] Keys

29d29517 0fa535a9 abc67696

.\bkcrack.exe -C .\flag.zip -k 29d29517 0fa535a9 abc67696 -D dec.zip

然后stegsolve看lsb

flag{Y1_Shun_jian_Fa_ZE_Dian_Fu}

13 Crypto funny_rsa

真难绷，fakeflag里面是flag

from Crypto.Util.number import *
import gmpy2

# funny numbers
funny1 = -17696257697673533517695215344482784803953262308315416688683426036407670627060768442028628137969719289734388098357659521255966031131390425549974547376165392147394271974280020234101031837837842620775164967619688351222631803585213762205793801828461058523503457022704948803795360591719481537859524689187847958423587638744086265395438163720708785636319741908901866136858161996560525252461619641697255819255661269266471689541673348377717503957328827459396677344554172542244540931545166846117626585580964318010181586516365891413041095399344533013057011854734701706641516027767197631044458866554524544179750101814734153116374
funny2 = 23686728880494758233026798487859622755203105120130180108222733038275788082047755828771429849079142070779731875136837978862880500205129022165600511611807590195341629179443057553694284913974985006590617143873019530710952420242412437467917519539591683898715990297750494900923245055632544763410401540518654522017115269508183482044872091052235608170710105631742176900306097734799793264202179181242015892763311753674799273300604804820015447161950996038795518844564861004398396796284113803759208011
funny3 = 419166458284161364374927086939132546372091965414091344286510440034452974193054721041229068769658972346759176374539266235862042787888391905466876330331208651698002159575012622762558316612596034044109738533275009086940744966244759977014078484433213617582101347769476703012517531619023366639507114909172774156647998737369356116119513795863130218094614475699956104117183821832339358478426978211282822163928764161915824622224165694904342224081321345691796882691318330781141960650263488927837990954860719950761728580780956673732592771855694502630374907978111094148614378212006604233062606116168868545120407836000858982789824582335703891535021579560434875457656655941164757860852341484554015214879991896412137447010444797452119431147303295803678311972500421396900616845556636124424993090559354406417222700637726789045926994792374756038517484548544506630672251868349748176389591615802039026216656891403871728516658502023897343287181822303758976641229952646993446276281728919020747050486979968215989594984778920359425264076558022228448529089047021814759587052098774273578311709416672952218680244714492318709603579024
funny4 = 13541898381047120826573743874105965191304100799517820464813250201030319771155430755606644860103469823030581858410957600027665504533335597988508084284252510961847999525811558651340906333101248760970154440885012717108131962658921396549020943832983712611749095468180648011521808106480590665594160479324931351996812185581193608244652792936715504284312172734662364676167010674359243219959129435127950232321130725013160026977752389409620674167037650367196748592335698164875097139931376389630867192761783936757260359606379088577977154378217235326249540098268616890307702288393952949444753648206049856544634755301197410481479

# 计算n
n = (funny3 + 1025) // funny2


def find_factors(n, s):
    a = gmpy2.isqrt(s * s // 4 - n)
    p = s // 2 + a
    q = s // 2 - a
    return p, q


# 尝试不同的r值找到p和q
for r in range(-1025, 1026):
    s = funny1 + n + r
    p, q = find_factors(n, s)
    if p * q == n:
        print(f"p = {p}")
        print(f"q = {q}")
        print(f"n = {n}")

        # 计算phi和d
        phi = (p - 1) * (q - 1)
        e = 65537
        d = gmpy2.invert(e, phi)

        # 解密funny4得到hint
        hint = pow(funny4, d, n)
        print(f"hint = {hint}")
        print(f"hint bytes = {long_to_bytes(hint)}")

        # 从funny2求解m
        # funny2 = m * hint
        m = funny2 // hint
        print(f"m = {m}")
        print(f"m bytes = {long_to_bytes(m)}")
        print(long_to_bytes(5044833682931814367881036090727702841234957943094051805420875375031047763007750978962055801191968383860156687597666360268370292861))
        break

flag{aB3-CdE7_FgH9-iJkLmNoPqRsT-UvWxYz1234567890}

14 Web easy_php

给了源码，看了一下file.php可以读文件，直接file.php?file=/flag

flag{a16dcb7549915546893a27a6d7927615}

15 Reverse easyasm

16位DOS

看了汇编代码发现主要有两个关键部分

程序开始时对一段数值（密钥）进行了预处理，做了一个冒泡排序，每次操作双字节

排序后的密钥会被拆分成高字节和低字节，然后与密文进行异或操作

所以编写代码对密钥数组进行冒泡排序，将排序后的每个双字节值拆分成高字节和低字节，按顺序与密文进行异或运算

Exp:

public class Decoder {
    public static void main(String[] args) {
        // 第一个数组
        int[] array1 = {
                0x2030, 0x3040, 0x4050, 0x1022, 0x2011, 0x1666, 0x1522, 0x8899,
                0x4155, 0x4044, 0x4288, 0x3321, 0x6033, 0xFFFF, 0x2221, 0x3366,
                0x222C, 0x2CCC, 0x22CC, 0xCC22, 0xC2C2
        };

        // 冒泡排序
        int size = array1.length;
        for (int i = 0; i < size; i++) {
            boolean swapped = false;
            for (int j = 0; j < size - 1 - i; j++) {
                if (array1[j] > array1[j + 1]) {
                    // 交换元素
                    int temp = array1[j];
                    array1[j] = array1[j + 1];
                    array1[j + 1] = temp;
                    swapped = true;
                }
            }
            if (!swapped) {
                break;
            }
        }

        // 分离高低字节
        byte[] result = new byte[2 * size];
        for (int i = 0; i < size; i++) {
            result[2 * i] = (byte)(array1[i] & 0xFF);
            result[2 * i + 1] = (byte)((array1[i] >> 8) & 0xFF);
        }

        // 第二个数组
        byte[] array2 = {
                0x44, 0x7C, 0x43, 0x72, 0x1D, 0x72, 0x74, 0x41, 0x05, 0x14,
                0x19, 0x1A, 0x19, 0x0F, (byte)0xF5, 0x10, (byte)0xAE, 0x18,
                0x6D, 0x01, 0x10, 0x56, 0x00, 0x1E, 0x26, 0x71, 0x65, 0x73,
                0x78, 0x72, (byte)0xEB, 0x72, 0x52, 0x06, (byte)0xAA, (byte)0xBB,
                (byte)0xA3, (byte)0xA4, 0x1B, (byte)0xFC, (byte)0xC7, (byte)0x82
        };

        // 异或运算并输出结果
        StringBuilder flag = new StringBuilder();
        for (int i = 0; i < array2.length; i++) {
            // 注意：Java中byte是有符号的，需要转换为无符号
            int a = array2[i] & 0xFF;
            int b = result[i] & 0xFF;
            flag.append((char)(a ^ b));
        }

        System.out.println(flag.toString());
    }
}

flag{dea54885-92b4-11ef-b153-3c0af33af908}

#CTF #Misc #Web #Crypto #Reverse

2024春秋杯冬季赛Day3

https://more678.github.io/2025/01/20/2024春秋杯冬季赛Day3/

作者

tenstrings

发布于

2025年1月20日

许可协议

2024春秋杯冬季赛AI_backdoor 上一篇

2024春秋杯冬季赛Day2 下一篇