base64

表右移24位

XTEA

大端序密文输入。

delta没给,直接爆破0—>0xffffffff

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
#include<stdio.h>
#include<stdint.h>
#include<stdlib.h>

void encipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4],uint32_t delta) {
    unsigned int i;
    uint32_t v0 = v[0], v1 = v[1], sum = 0,a,b,c    ;
    
    for (i = 0; i < num_rounds; i++) {
    /*  printf("%x,%x,%x\n", v0, v1,sum);*/
        a = (v1 << 4) ^ (v1 >> 5);
        //printf("%x\n", a);
        b = a+v1;
        c = sum + key[sum & 3];
        v0 += ( b^ c);
        sum -= delta;
        v1 += (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum >> 11) & 3]);
    }
    v[0] = v0; v[1] = v1;
}

void decipher(unsigned int num_rounds, uint32_t v[2], uint32_t const key[4],uint32_t delta) {
    unsigned int i;
    uint32_t v0 = v[0], v1 = v[1], sum = delta * num_rounds ;
    sum = 0;
    for (int j = 0; j < 32; j++) sum -= delta;
    for (i = 0; i < num_rounds; i++) {

        v1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (sum + key[(sum >> 11) & 3]);
        sum += delta;
        v0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (sum + key[sum & 3]);
        
    }
    v[0] = v0; v[1] = v1;
}

int main() {
    uint32_t v[8] = { 0x8CCB2324, 0x09A7741A, 0xFB3C678D, 0xF6083A79, 0xF1CC241B, 0x39FA59F2, 0xF2ABE1CC, 0x17189F72 };
    uint32_t k[4] = { 0x000019F8, 0x000011BE, 0x00000991, 0x00003418 };
    srand(2024);
    uint32_t v2[4] = {0};
    char flag[] = "HZNUCTF{";
    //for (int i = 0; i < 4; i++) {
    //  k[i] = rand();
    //}

    uint32_t delta = 0;
    for (uint32_t j = 0; j < 0xffffffff; j++) {
        v2[0] = 0x485a4e55;
        v2[1] = 0x4354467b;
        encipher(32, v2, k,j);
        if (v2[0] == v[0]) {
            delta = j;
            printf("%d\n", j);
        }
    }
    printf("\n");
    unsigned int r = 32;            
    for (int i = 6; i >=0; i--) {
        decipher(r, &v[i], k, delta);
    }
    for (int i = 0; i < 32; i++) {
        printf("%c", *((char*)v + i));
    }

    return 0;
}

最后手动把四字节反转一下

1
HZNUCTF{ae6-9f57-4b74-b423-98eb}

conforand

混淆成一坨了,把seed改为1后动调+盯帧查看数据变化和加密逻辑。

魔改rc4,魔改了下面的部分。

时间戳作为种子生成随机数(delta)对密钥进行了异或加密。

加密时盒交换就交换了一次,详情看下面的脚本。

解密时对随机数进行爆破再异或密钥解密魔改rc4就行。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
#include<stdio.h> 
#include<stdlib.h>
#include<string.h>

//s 表的长度取 256
#define size 257

unsigned char sbox[257] = { 0 };

// 初始化 s 表
void init_sbox(unsigned char* key,unsigned int delta) {
    unsigned int i, j, k;
    int tmp;
    unsigned char keyt[257] = { 0 };
    //int delta = 0x6B8B4567;
    for (i = 0; i < size; i++) {
        sbox[i] = i;
        keyt[i] = (key[i % 9] ^ delta) % 256; 

    }
    j =k = 0;
    for (i = 0; i < size; i++) {
        tmp = sbox[i];
        j = (j + tmp + keyt[i]) % 257;  
        //printf("%x,", j);
        sbox[i] = sbox[j];
        sbox[j] = tmp;
        /*if (++k >= 12)
            k = 0;*/
    }
    //printf("\n");


}

// 加解密函数
void enc_dec(unsigned char* key, unsigned char* data,unsigned int delta) {
    int i, j, k, R, tmp;

    init_sbox(key,delta);
    //printf("R:\n");
    j = k = 0;
    for (i = 0; i < strlen((char*)data); i++) {
        j = (j + 1) % size;
        k = (k + sbox[j]) % size;

        tmp = sbox[j];
        sbox[j] = sbox[k];
        //sbox[k] = tmp;
        int a, b, c;
        a = (sbox[j]);
        b = sbox[k];
        c = a + b;
        /*for (int i = 0; i < 256; i++) {
            printf("0x%x,", sbox[i]);
        }*/
        R = sbox[c % size];
        //printf("%x,", R);
        data[i] ^= R;
    }
}

int main() {
    unsigned char key[100] ="JustDoIt!";
    unsigned char data[100] = "000000000000000000000000000000000000000000";
    unsigned char mm[100] = { 0x83,0x1e,0x9c,0x48,0x7a,0xfa,0xe8,0x88,0x36,0xd5,0x0a,0x08,0xf6,0xa7,0x70,0x0f,0xfd,0x67,0xdd,0xd4,0x3c,0xa7,0xed,0x8d,0x51,0x10,0xce,0x6a,0x9e,0x56,0x57,0x83,0x56,0xe7,0x67,0x9a,0x67,0x22,0x24,0x6e,0xcd,0x2f };
    unsigned char flag[] = "HZNUCTF{}";
    unsigned char tmp[100];
    tmp[42] = '\0';

    for (unsigned int i = 0; i < 0xffffffff; i++) {  //爆破随机数
        for (int j = 0; j < 42; j++) {
            tmp[j] = mm[j];
        }
        enc_dec(key, tmp,i);
        if (tmp[0] == flag[0] && tmp[1] == flag[1] &&tmp[2] == flag[2] && tmp[3] == flag[3])
        {
            printf("delta:%d\n", i);
            for (int i = 0; i < 42; i++) {
                printf("0x%x,", mm[i]);
            }
            break;
        }
    }
    printf("\n%s", tmp);

    return 0;
}

蛇年的本命语言

z3解一下。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
from z3 import *

s = Solver()
i11i1Iii1I1 =list(Int(f"a_{i}") for i in range(30))
ii1iIi1i11i = [
    7 * i11i1Iii1I1[0] == 504,
    9 * i11i1Iii1I1[0] - 5 * i11i1Iii1I1[1] == 403,
    (2 * i11i1Iii1I1[0] - 5 * i11i1Iii1I1[1]) + 10 * i11i1Iii1I1[2] == 799,
    3 * i11i1Iii1I1[0] + 8 * i11i1Iii1I1[1] + 15 * i11i1Iii1I1[2] + 20 * i11i1Iii1I1[3] == 2938,
    (5 * i11i1Iii1I1[0] + 15 * i11i1Iii1I1[1] + 20 * i11i1Iii1I1[2] - 19 * i11i1Iii1I1[3]) + 1 * i11i1Iii1I1[4] == 2042,
    (7 * i11i1Iii1I1[0] + 1 * i11i1Iii1I1[1] + 9 * i11i1Iii1I1[2] - 11 * i11i1Iii1I1[3]) + 2 * i11i1Iii1I1[4] + 5 * i11i1Iii1I1[5] == 1225,
    11 * i11i1Iii1I1[0] + 22 * i11i1Iii1I1[1] + 33 * i11i1Iii1I1[2] + 44 * i11i1Iii1I1[3] + 55 * i11i1Iii1I1[4] + 66 * i11i1Iii1I1[5] - 77 * i11i1Iii1I1[6] == 7975,
    ((21 * i11i1Iii1I1[0] + 23 * i11i1Iii1I1[1] + 3 * i11i1Iii1I1[2] + 24 * i11i1Iii1I1[3] - 55 * i11i1Iii1I1[4]) + 6 * i11i1Iii1I1[5] - 7 * i11i1Iii1I1[6]) + 15 * i11i1Iii1I1[7] == 229,
    (2 * i11i1Iii1I1[0] + 26 * i11i1Iii1I1[1] + 13 * i11i1Iii1I1[2] + 0 * i11i1Iii1I1[3] - 65 * i11i1Iii1I1[4]) + 15 * i11i1Iii1I1[5] + 29 * i11i1Iii1I1[6] + 1 * i11i1Iii1I1[7] + 20 * i11i1Iii1I1[8] == 2107,
    (10 * i11i1Iii1I1[0] + 7 * i11i1Iii1I1[1] + -9 * i11i1Iii1I1[2] + 6 * i11i1Iii1I1[3] + 7 * i11i1Iii1I1[4] + 1 * i11i1Iii1I1[5] + 22 * i11i1Iii1I1[6] + 21 * i11i1Iii1I1[7] - 22 * i11i1Iii1I1[8]) + 30 * i11i1Iii1I1[9] == 4037,
    (15 * i11i1Iii1I1[0] + 59 * i11i1Iii1I1[1] + 56 * i11i1Iii1I1[2] + 66 * i11i1Iii1I1[3] + 7 * i11i1Iii1I1[4] + 1 * i11i1Iii1I1[5] - 122 * i11i1Iii1I1[6]) + 21 * i11i1Iii1I1[7] + 32 * i11i1Iii1I1[8] + 3 * i11i1Iii1I1[9] - 10 * i11i1Iii1I1[10] == 4950,
    (((13 * i11i1Iii1I1[0] + 66 * i11i1Iii1I1[1] + 29 * i11i1Iii1I1[2] + 39 * i11i1Iii1I1[3] - 33 * i11i1Iii1I1[4]) + 13 * i11i1Iii1I1[5] - 2 * i11i1Iii1I1[6]) + 42 * i11i1Iii1I1[7] + 62 * i11i1Iii1I1[8] + 1 * i11i1Iii1I1[9] - 10 * i11i1Iii1I1[10]) + 11 * i11i1Iii1I1[11] == 12544,
    (((23 * i11i1Iii1I1[0] + 6 * i11i1Iii1I1[1] + 29 * i11i1Iii1I1[2] + 3 * i11i1Iii1I1[3] - 3 * i11i1Iii1I1[4]) + 63 * i11i1Iii1I1[5] - 25 * i11i1Iii1I1[6]) + 2 * i11i1Iii1I1[7] + 32 * i11i1Iii1I1[8] + 1 * i11i1Iii1I1[9] - 10 * i11i1Iii1I1[10]) + 11 * i11i1Iii1I1[11] - 12 * i11i1Iii1I1[12] == 6585,
    ((((223 * i11i1Iii1I1[0] + 6 * i11i1Iii1I1[1] - 29 * i11i1Iii1I1[2] - 53 * i11i1Iii1I1[3] - 3 * i11i1Iii1I1[4]) + 3 * i11i1Iii1I1[5] - 65 * i11i1Iii1I1[6]) + 0 * i11i1Iii1I1[7] + 36 * i11i1Iii1I1[8] + 1 * i11i1Iii1I1[9] - 15 * i11i1Iii1I1[10]) + 16 * i11i1Iii1I1[11] - 18 * i11i1Iii1I1[12]) + 13 * i11i1Iii1I1[13] == 6893,
    ((((29 * i11i1Iii1I1[0] + 13 * i11i1Iii1I1[1] - 9 * i11i1Iii1I1[2] - 93 * i11i1Iii1I1[3]) + 33 * i11i1Iii1I1[4] + 6 * i11i1Iii1I1[5] + 65 * i11i1Iii1I1[6] + 1 * i11i1Iii1I1[7] - 36 * i11i1Iii1I1[8]) + 0 * i11i1Iii1I1[9] - 16 * i11i1Iii1I1[10]) + 96 * i11i1Iii1I1[11] - 68 * i11i1Iii1I1[12]) + 33 * i11i1Iii1I1[13] - 14 * i11i1Iii1I1[14] == 1883,
    (((69 * i11i1Iii1I1[0] + 77 * i11i1Iii1I1[1] - 93 * i11i1Iii1I1[2] - 12 * i11i1Iii1I1[3]) + 0 * i11i1Iii1I1[4] + 0 * i11i1Iii1I1[5] + 1 * i11i1Iii1I1[6] + 16 * i11i1Iii1I1[7] + 36 * i11i1Iii1I1[8] + 6 * i11i1Iii1I1[9] + 19 * i11i1Iii1I1[10] + 66 * i11i1Iii1I1[11] - 8 * i11i1Iii1I1[12]) + 38 * i11i1Iii1I1[13] - 16 * i11i1Iii1I1[14]) + 15 * i11i1Iii1I1[15] == 8257,
    ((((23 * i11i1Iii1I1[0] + 2 * i11i1Iii1I1[1] - 3 * i11i1Iii1I1[2] - 11 * i11i1Iii1I1[3]) + 12 * i11i1Iii1I1[4] + 24 * i11i1Iii1I1[5] + 1 * i11i1Iii1I1[6] + 6 * i11i1Iii1I1[7] + 14 * i11i1Iii1I1[8] - 0 * i11i1Iii1I1[9]) + 1 * i11i1Iii1I1[10] + 68 * i11i1Iii1I1[11] - 18 * i11i1Iii1I1[12]) + 68 * i11i1Iii1I1[13] - 26 * i11i1Iii1I1[14]) + 15 * i11i1Iii1I1[15] - 16 * i11i1Iii1I1[16] == 5847,
    (((((24 * i11i1Iii1I1[0] + 0 * i11i1Iii1I1[1] - 1 * i11i1Iii1I1[2] - 15 * i11i1Iii1I1[3]) + 13 * i11i1Iii1I1[4] + 4 * i11i1Iii1I1[5] + 16 * i11i1Iii1I1[6] + 67 * i11i1Iii1I1[7] + 146 * i11i1Iii1I1[8] - 50 * i11i1Iii1I1[9]) + 16 * i11i1Iii1I1[10] + 6 * i11i1Iii1I1[11] - 1 * i11i1Iii1I1[12]) + 69 * i11i1Iii1I1[13] - 27 * i11i1Iii1I1[14]) + 45 * i11i1Iii1I1[15] - 6 * i11i1Iii1I1[16]) + 17 * i11i1Iii1I1[17] == 18257,
    ((((25 * i11i1Iii1I1[0] + 26 * i11i1Iii1I1[1] - 89 * i11i1Iii1I1[2]) + 16 * i11i1Iii1I1[3] + 19 * i11i1Iii1I1[4] + 44 * i11i1Iii1I1[5] + 36 * i11i1Iii1I1[6] + 66 * i11i1Iii1I1[7] - 150 * i11i1Iii1I1[8] - 250 * i11i1Iii1I1[9]) + 166 * i11i1Iii1I1[10] + 126 * i11i1Iii1I1[11] - 11 * i11i1Iii1I1[12]) + 690 * i11i1Iii1I1[13] - 207 * i11i1Iii1I1[14]) + 46 * i11i1Iii1I1[15] + 6 * i11i1Iii1I1[16] + 7 * i11i1Iii1I1[17] - 18 * i11i1Iii1I1[18] == 12591,
    (((((5 * i11i1Iii1I1[0] + 26 * i11i1Iii1I1[1] + 8 * i11i1Iii1I1[2] + 160 * i11i1Iii1I1[3] + 9 * i11i1Iii1I1[4] - 4 * i11i1Iii1I1[5]) + 36 * i11i1Iii1I1[6] + 6 * i11i1Iii1I1[7] - 15 * i11i1Iii1I1[8] - 20 * i11i1Iii1I1[9]) + 66 * i11i1Iii1I1[10] + 16 * i11i1Iii1I1[11] - 1 * i11i1Iii1I1[12]) + 690 * i11i1Iii1I1[13] - 20 * i11i1Iii1I1[14]) + 46 * i11i1Iii1I1[15] + 6 * i11i1Iii1I1[16] + 7 * i11i1Iii1I1[17] - 18 * i11i1Iii1I1[18]) + 19 * i11i1Iii1I1[19] == 52041,
    ((((((29 * i11i1Iii1I1[0] - 26 * i11i1Iii1I1[1]) + 0 * i11i1Iii1I1[2] + 60 * i11i1Iii1I1[3] + 90 * i11i1Iii1I1[4] - 4 * i11i1Iii1I1[5]) + 6 * i11i1Iii1I1[6] + 6 * i11i1Iii1I1[7] - 16 * i11i1Iii1I1[8] - 21 * i11i1Iii1I1[9]) + 69 * i11i1Iii1I1[10] + 6 * i11i1Iii1I1[11] - 12 * i11i1Iii1I1[12]) + 69 * i11i1Iii1I1[13] - 20 * i11i1Iii1I1[14] - 46 * i11i1Iii1I1[15]) + 65 * i11i1Iii1I1[16] + 0 * i11i1Iii1I1[17] - 1 * i11i1Iii1I1[18]) + 39 * i11i1Iii1I1[19] - 20 * i11i1Iii1I1[20] == 20253,
    (((((((45 * i11i1Iii1I1[0] - 56 * i11i1Iii1I1[1]) + 10 * i11i1Iii1I1[2] + 650 * i11i1Iii1I1[3] - 900 * i11i1Iii1I1[4]) + 44 * i11i1Iii1I1[5] + 66 * i11i1Iii1I1[6] - 6 * i11i1Iii1I1[7] - 6 * i11i1Iii1I1[8] - 21 * i11i1Iii1I1[9]) + 9 * i11i1Iii1I1[10] - 6 * i11i1Iii1I1[11] - 12 * i11i1Iii1I1[12]) + 69 * i11i1Iii1I1[13] - 2 * i11i1Iii1I1[14] - 406 * i11i1Iii1I1[15]) + 651 * i11i1Iii1I1[16] + 2 * i11i1Iii1I1[17] - 10 * i11i1Iii1I1[18]) + 69 * i11i1Iii1I1[19] - 0 * i11i1Iii1I1[20]) + 21 * i11i1Iii1I1[21] == 18768,
    (((((555 * i11i1Iii1I1[0] - 6666 * i11i1Iii1I1[1]) + 70 * i11i1Iii1I1[2] + 510 * i11i1Iii1I1[3] - 90 * i11i1Iii1I1[4]) + 499 * i11i1Iii1I1[5] + 66 * i11i1Iii1I1[6] - 66 * i11i1Iii1I1[7] - 610 * i11i1Iii1I1[8] - 221 * i11i1Iii1I1[9]) + 9 * i11i1Iii1I1[10] - 23 * i11i1Iii1I1[11] - 102 * i11i1Iii1I1[12]) + 6 * i11i1Iii1I1[13] + 2050 * i11i1Iii1I1[14] - 406 * i11i1Iii1I1[15]) + 665 * i11i1Iii1I1[16] + 333 * i11i1Iii1I1[17] + 100 * i11i1Iii1I1[18] + 609 * i11i1Iii1I1[19] + 777 * i11i1Iii1I1[20] + 201 * i11i1Iii1I1[21] - 22 * i11i1Iii1I1[22] == 111844,
    (((((((1 * i11i1Iii1I1[0] - 22 * i11i1Iii1I1[1]) + 333 * i11i1Iii1I1[2] + 4444 * i11i1Iii1I1[3] - 5555 * i11i1Iii1I1[4]) + 6666 * i11i1Iii1I1[5] - 666 * i11i1Iii1I1[6]) + 676 * i11i1Iii1I1[7] - 660 * i11i1Iii1I1[8] - 22 * i11i1Iii1I1[9]) + 9 * i11i1Iii1I1[10] - 73 * i11i1Iii1I1[11] - 107 * i11i1Iii1I1[12]) + 6 * i11i1Iii1I1[13] + 250 * i11i1Iii1I1[14] - 6 * i11i1Iii1I1[15]) + 65 * i11i1Iii1I1[16] + 39 * i11i1Iii1I1[17] + 10 * i11i1Iii1I1[18] + 69 * i11i1Iii1I1[19] + 777 * i11i1Iii1I1[20] + 201 * i11i1Iii1I1[21] - 2 * i11i1Iii1I1[22]) + 23 * i11i1Iii1I1[23] == 159029,
    (((520 * i11i1Iii1I1[0] - 222 * i11i1Iii1I1[1]) + 333 * i11i1Iii1I1[2] + 4 * i11i1Iii1I1[3] - 56655 * i11i1Iii1I1[4]) + 6666 * i11i1Iii1I1[5] + 666 * i11i1Iii1I1[6] + 66 * i11i1Iii1I1[7] - 60 * i11i1Iii1I1[8] - 220 * i11i1Iii1I1[9]) + 99 * i11i1Iii1I1[10] + 73 * i11i1Iii1I1[11] + 1007 * i11i1Iii1I1[12] + 7777 * i11i1Iii1I1[13] + 2500 * i11i1Iii1I1[14] + 6666 * i11i1Iii1I1[15] + 605 * i11i1Iii1I1[16] + 390 * i11i1Iii1I1[17] + 100 * i11i1Iii1I1[18] + 609 * i11i1Iii1I1[19] + 99999 * i11i1Iii1I1[20] + 210 * i11i1Iii1I1[21] + 232 * i11i1Iii1I1[22] + 23 * i11i1Iii1I1[23] - 24 * i11i1Iii1I1[24] == 2762025,
    ((((1323 * i11i1Iii1I1[0] - 22 * i11i1Iii1I1[1]) + 333 * i11i1Iii1I1[2] + 4 * i11i1Iii1I1[3] - 55 * i11i1Iii1I1[4]) + 666 * i11i1Iii1I1[5] + 666 * i11i1Iii1I1[6] + 66 * i11i1Iii1I1[7] - 660 * i11i1Iii1I1[8] - 220 * i11i1Iii1I1[9]) + 99 * i11i1Iii1I1[10] + 3 * i11i1Iii1I1[11] + 100 * i11i1Iii1I1[12] + 777 * i11i1Iii1I1[13] + 2500 * i11i1Iii1I1[14] + 6666 * i11i1Iii1I1[15] + 605 * i11i1Iii1I1[16] + 390 * i11i1Iii1I1[17] + 100 * i11i1Iii1I1[18] + 609 * i11i1Iii1I1[19] + 9999 * i11i1Iii1I1[20] + 210 * i11i1Iii1I1[21] + 232 * i11i1Iii1I1[22] + 23 * i11i1Iii1I1[23] - 24 * i11i1Iii1I1[24]) + 25 * i11i1Iii1I1[25] == 1551621,
    (((((777 * i11i1Iii1I1[0] - 22 * i11i1Iii1I1[1]) + 6969 * i11i1Iii1I1[2] + 4 * i11i1Iii1I1[3] - 55 * i11i1Iii1I1[4]) + 666 * i11i1Iii1I1[5] - 6 * i11i1Iii1I1[6]) + 96 * i11i1Iii1I1[7] - 60 * i11i1Iii1I1[8] - 220 * i11i1Iii1I1[9]) + 99 * i11i1Iii1I1[10] + 3 * i11i1Iii1I1[11] + 100 * i11i1Iii1I1[12] + 777 * i11i1Iii1I1[13] + 250 * i11i1Iii1I1[14] + 666 * i11i1Iii1I1[15] + 65 * i11i1Iii1I1[16] + 90 * i11i1Iii1I1[17] + 100 * i11i1Iii1I1[18] + 609 * i11i1Iii1I1[19] + 999 * i11i1Iii1I1[20] + 21 * i11i1Iii1I1[21] + 232 * i11i1Iii1I1[22] + 23 * i11i1Iii1I1[23] - 24 * i11i1Iii1I1[24]) + 25 * i11i1Iii1I1[25] - 26 * i11i1Iii1I1[26] == 948348,
    ((((((97 * i11i1Iii1I1[0] - 22 * i11i1Iii1I1[1]) + 6969 * i11i1Iii1I1[2] + 4 * i11i1Iii1I1[3] - 56 * i11i1Iii1I1[4]) + 96 * i11i1Iii1I1[5] - 6 * i11i1Iii1I1[6]) + 96 * i11i1Iii1I1[7] - 60 * i11i1Iii1I1[8] - 20 * i11i1Iii1I1[9]) + 99 * i11i1Iii1I1[10] + 3 * i11i1Iii1I1[11] + 10 * i11i1Iii1I1[12] + 707 * i11i1Iii1I1[13] + 250 * i11i1Iii1I1[14] + 666 * i11i1Iii1I1[15] + -9 * i11i1Iii1I1[16] + 90 * i11i1Iii1I1[17] + -2 * i11i1Iii1I1[18] + 609 * i11i1Iii1I1[19] + 0 * i11i1Iii1I1[20] + 21 * i11i1Iii1I1[21] + 2 * i11i1Iii1I1[22] + 23 * i11i1Iii1I1[23] - 24 * i11i1Iii1I1[24]) + 25 * i11i1Iii1I1[25] - 26 * i11i1Iii1I1[26]) + 27 * i11i1Iii1I1[27] == 777044,
    (((((177 * i11i1Iii1I1[0] - 22 * i11i1Iii1I1[1]) + 699 * i11i1Iii1I1[2] + 64 * i11i1Iii1I1[3] - 56 * i11i1Iii1I1[4] - 96 * i11i1Iii1I1[5] - 66 * i11i1Iii1I1[6]) + 96 * i11i1Iii1I1[7] - 60 * i11i1Iii1I1[8] - 20 * i11i1Iii1I1[9]) + 99 * i11i1Iii1I1[10] + 3 * i11i1Iii1I1[11] + 10 * i11i1Iii1I1[12] + 707 * i11i1Iii1I1[13] + 250 * i11i1Iii1I1[14] + 666 * i11i1Iii1I1[15] + -9 * i11i1Iii1I1[16] + 0 * i11i1Iii1I1[17] + -2 * i11i1Iii1I1[18] + 69 * i11i1Iii1I1[19] + 0 * i11i1Iii1I1[20] + 21 * i11i1Iii1I1[21] + 222 * i11i1Iii1I1[22] + 23 * i11i1Iii1I1[23] - 224 * i11i1Iii1I1[24]) + 25 * i11i1Iii1I1[25] - 26 * i11i1Iii1I1[26]) + 27 * i11i1Iii1I1[27] - 28 * i11i1Iii1I1[28] == 185016,
    ((((((77 * i11i1Iii1I1[0] - 2 * i11i1Iii1I1[1]) + 6 * i11i1Iii1I1[2] + 6 * i11i1Iii1I1[3] - 96 * i11i1Iii1I1[4] - 9 * i11i1Iii1I1[5] - 6 * i11i1Iii1I1[6]) + 96 * i11i1Iii1I1[7] - 0 * i11i1Iii1I1[8] - 20 * i11i1Iii1I1[9]) + 99 * i11i1Iii1I1[10] + 3 * i11i1Iii1I1[11] + 10 * i11i1Iii1I1[12] + 707 * i11i1Iii1I1[13] + 250 * i11i1Iii1I1[14] + 666 * i11i1Iii1I1[15] + -9 * i11i1Iii1I1[16] + 0 * i11i1Iii1I1[17] + -2 * i11i1Iii1I1[18] + 9 * i11i1Iii1I1[19] + 0 * i11i1Iii1I1[20] + 21 * i11i1Iii1I1[21] + 222 * i11i1Iii1I1[22] + 23 * i11i1Iii1I1[23] - 224 * i11i1Iii1I1[24]) + 26 * i11i1Iii1I1[25] - -58 * i11i1Iii1I1[26]) + 27 * i11i1Iii1I1[27] - 2 * i11i1Iii1I1[28]) + 29 * i11i1Iii1I1[29] == 130106]


for i in ii1iIi1i11i:
    s.add(i)

res =""
if s.check() == sat:
    for i in range(30):
        res += chr(s.model()[i11i1Iii1I1[i]].as_long())
print(res)

tab = dict()
for i in range(0,len(res),2):
    if res[i+1] == '1': continue
    tab[res[i+1]] = res[i]
print(tab)

m = "111111116257645365477364777645752361"
flag = "HZNUCTF{"
for i in m:
    if i == '1': continue
    flag += tab[i]
flag+='}'
print(flag)
HZNUCTF{ad7fa-76a7-ff6a-fffa-7f7d6a}

水果忍者

AES加密

![image (3)](https://huanghunr-blog.oss-cn-hangzhou.aliyuncs.com/img/image (3).png)

![image (4)](https://huanghunr-blog.oss-cn-hangzhou.aliyuncs.com/img/image (4).png)

![image (5)](https://huanghunr-blog.oss-cn-hangzhou.aliyuncs.com/img/image (5).png)

randomsystem

矩阵操作,换位,乘法,生成密钥,异或加密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
import re
import numpy as np

def gettaable_byasm():
    asm =   """
    mov     [ebp+var_104], 1
mov     [ebp+var_100], 1
mov     [ebp+var_FC], 0
mov     [ebp+var_F8], 1
mov     [ebp+var_F4], 0
mov     [ebp+var_F0], 0
mov     [ebp+var_EC], 1
mov     [ebp+var_E8], 0
mov     [ebp+var_E4], 0
mov     [ebp+var_E0], 1
mov     [ebp+var_DC], 1
mov     [ebp+var_D8], 0
mov     [ebp+var_D4], 0
mov     [ebp+var_D0], 1
mov     [ebp+var_CC], 0
mov     [ebp+var_C8], 1
mov     [ebp+var_C4], 0
mov     [ebp+var_C0], 0
mov     [ebp+var_BC], 1
mov     [ebp+var_B8], 1
mov     [ebp+var_B4], 0
mov     [ebp+var_B0], 1
mov     [ebp+var_AC], 1
mov     [ebp+var_A8], 0
mov     [ebp+var_A4], 0
mov     [ebp+var_A0], 0
mov     [ebp+var_9C], 0
mov     [ebp+var_98], 1
mov     [ebp+var_94], 0
mov     [ebp+var_90], 1
mov     [ebp+var_8C], 0
mov     [ebp+var_88], 1
mov     [ebp+var_84], 0
mov     [ebp+var_80], 1
mov     [ebp+var_7C], 0
mov     [ebp+var_78], 0
mov     [ebp+var_74], 1
mov     [ebp+var_70], 0
mov     [ebp+var_6C], 1
mov     [ebp+var_68], 0
mov     [ebp+var_64], 0
mov     [ebp+var_60], 0
mov     [ebp+var_5C], 0
mov     [ebp+var_58], 0
mov     [ebp+var_54], 0
mov     [ebp+var_50], 1
mov     [ebp+var_4C], 0
mov     [ebp+var_48], 1
mov     [ebp+var_44], 0
mov     [ebp+var_40], 0
mov     [ebp+var_3C], 0
mov     [ebp+var_38], 0
mov     [ebp+var_34], 0
mov     [ebp+var_30], 0
mov     [ebp+var_2C], 1
mov     [ebp+var_28], 1
mov     [ebp+var_24], 0
mov     [ebp+var_20], 1
mov     [ebp+var_1C], 1
mov     [ebp+var_18], 0
mov     [ebp+var_14], 0
mov     [ebp+var_10], 0
mov     [ebp+var_C], 0
mov     [ebp+var_8], 1
            """
    values = re.findall(r"mov.*?,\s*(\d+)", asm)
    values = [int(x) for x in values]
    return values

def exchange(input, tableM):
    inlen = len(input)
    for i in range(32):
        input[i], input[inlen - tableM[i] - 1] = input[inlen - tableM[i] - 1], input[i] #前32位与后32按盒位交换
    return input

def deexchange(input, tableM):
    inlen = len(input)
    for i in range(32):
        input[inlen - tableM[i] - 1], input[i] = input[i], input[inlen - tableM[i] - 1] #前32位与后32按盒位交换
    return input

def changeKey(key):
    data = []
    for i in range(0, len(key), 2):
        data.append((((key[i] - 48)<<4) | (key[i + 1] - 48)) &0xff)
    return data


key2 = [53, 50, 54, 53, 53, 54, 54, 53, 53, 50, 54, 53, 53, 51, 54, 53]
mm = [376, 356, 169, 501, 277, 329, 139, 342, 380, 365, 162, 258, 381, 339, 347, 307, 263, 359, 162, 484, 310, 333, 346,
      339, 150, 194, 175, 344, 158, 250, 128, 175, 158, 173, 152, 379, 158, 292, 130, 365, 197, 20, 197, 161, 198, 10,
      207, 244, 202, 14, 204, 176, 193, 255, 35, 7, 158, 181, 145, 353, 153, 357, 246, 151]

randi = [27, 26, 25, 23, 28, 1, 6, 10, 20, 7, 15, 14, 31, 18, 19, 21, 9, 30, 22, 24, 8, 2, 29, 3, 12, 11, 17, 16, 0, 13, 5, 4] #用c语言生成随机数

MatrixB = gettaable_byasm()

key = changeKey(key2)

for i in range(len(mm)):
    mm[i] ^= key[i % len(key)]

B = np.array(mm).reshape(-1,8)
A = np.array(MatrixB).reshape(-1,8) #转为矩阵-1为自适应

invA = np.linalg.inv(A) #求逆
res = invA @ B #矩阵乘法

resl =deexchange(res.astype(int).flatten().tolist(),randi) #flatten降维,转成list,astype转为int类型

flag =''.join(map(chr,resl))

print(flag)