2025 第一届 "经院杯" 网络安全竞赛 WP

First Post:

Last Update:

Word Count:
450

Read Time:
2 min

MISC

Torrent!

打开种子文件找到SHA1 Hash

在线解密拿到明文,MD4 Hash

哈基米

文件属性找到Base64,文件尾找到替换表

CRYPTO

Empire

Empire(皇帝) / Ceasar凯撒(大帝)

SEA

直接爆

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
from Crypto.Cipher import AES
import base64
# from FLAG  import flag

def pkcs7_pad(data):
    block = 16
    padding_len = block - len(data) % block
    return data + bytes([padding_len]) * padding_len

key_l3 = [65, 65, 65]

def main():
    while key_l3[0] != 0x7e:
        key_l3[2] += 1
        if (key_l3[2] > 0x7e):
            key_l3[2] = 65
            key_l3[1] += 1
        if (key_l3[1] > 0x7e):
            key_l3[1] = 65
            key_l3[0] += 1
        key = "ZJTIE-CTF-IS-" + chr(key_l3[0]) + chr(key_l3[1]) + chr(key_l3[2])
        print(key)
        cipher = AES.new(key.encode(), AES.MODE_ECB)
        encode_text = base64.b64decode('patCICFf4hK+vmHQaDhaqn+j+/dHGsfkoky0TUDjSsVOe/PQcEgznf9F65BgH5Ek')
        try:
            plain_text = cipher.decrypt(encode_text).decode()

            print(plain_text)
            break
        except:
            continue
if __name__ == "__main__":
    main()

WEB

CET4

AI改变生活(

饼干大亨

DevTools本地替换得到Tip

Cookie找到myflag

全家桶

REVERSE

ezRE

IDA反编译找到比较相关代码和处理代码

1
2
3
4
5
6
7
8
text = b'ZKVJA~6e::?;;9#9qw\"> $$$5!x)(0*-FG\x17'
_hex = 0x571C4B11101D4246
b = _hex.to_bytes(8, byteorder='little')
text += b

for i in range(len(text)):
    print(chr(text[i] ^ i), end='')
print()

MOBILE

BabyAPK

Jadx打开,发现DES加密和异或操作,key和enc在strings.xml

直接解密

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
public static byte[] hexToBytes(String hex) {
    int len = hex.length();
    if ((len & 1) != 0) {
        throw new IllegalArgumentException("Invalid hex length");
    }

    byte[] out = new byte[len / 2];
    for (int i = 0; i < len; i += 2) {
        int hi = Character.digit(hex.charAt(i), 16);
        int lo = Character.digit(hex.charAt(i + 1), 16);
        if (hi < 0 || lo < 0) {
            throw new IllegalArgumentException("Invalid hex char");
        }
        out[i / 2] = (byte) ((hi << 4) | lo);
    }
    return out;
}
String hex = "8b54a1f1ec35e82b9aa5bbb7d95949370127be0a147e653f3f950fdc1e4ec24cc5b87570cd60cab8";
String key = "zjtienb!";
try {
    byte[] cipherBytes = hexToBytes(hex);
    byte[] keyBytes = key.getBytes("UTF-8");
    SecretKey secretKey = new SecretKeySpec(keyBytes, "DES");
    Cipher cipher = Cipher.getInstance("DES/ECB/PKCS5Padding");
    cipher.init(Cipher.DECRYPT_MODE, secretKey);
    byte[] plainBytes = cipher.doFinal(cipherBytes);
    String result =  new String(plainBytes, "UTF-8");

    StringBuilder decodedPart = new StringBuilder();
    for (int i = 0; i < result.length(); i++) {
        decodedPart.append((char) (result.charAt(i) ^ '\t'));
    }
    Log.d("DES", decodedPart.toString());
} catch (Exception e) {
    throw new RuntimeException(e);
}