HSCCTF2024

Misc

hello-hscctf

从图片中提取关键信息

(03338) 76 Friseur Kosmetik Montag，点最后一个

报纸左下角，搜Friseursalon Aerts

Re

tea

经典tea，密文呈现形式不同

#include <stdio.h>
#include <stdint.h>

int main() {
	uint32_t v[2] = {1, 2};
	uint32_t delta = 0x61C88647;
	uint32_t v0 = v[0], v1 = v[1], sum = -32 * delta, i; /* set up */

	uint32_t v2[2] = {0x3D121D26, 0x5E6189F9}, v3[2] = {0xC1FB278E, 0x3B494648}, v5[10] = {0xb805d767, 0x63c174c3}; //0x67,0xd7,5,0xb8
	unsigned int k[4] = {2, 2, 3, 4}, l = 0, r = 0;
	uint32_t k0 = k[0], k1 = k[1], k2 = k[2], k3 = k[3];
	// v为要加密的数据是两个32位无符号整数
	// k为加密解密密钥，为4个32位无符号整数，即密钥长度为128位

	for (int m = 0; m < 2; m += 2) {//flag不全的话有可能是10
		//sum = -957401312;
		for (i = 0; i < 32; i++) {                     /* basic cycle start */
			v5[m + 1] -= ((v5[m] << 4) + k2) ^ (v5[m] + sum) ^ ((v5[m] >> 5) + k3);
			v5[m] -= ((v5[m + 1] << 4) + k0) ^ (v5[m + 1] + sum) ^ ((v5[m + 1] >> 5) + k1);
			sum += delta;
		}                                              /* end cycle */
	}

	for (int i = 0; i < 2; i++) {
		printf("%x ", v5[i]);
	}
	for (int i = 0; i < 2; i++) {
		for (int m = 0; m <= 3; m++) {
			//printf("%c", (v5[i] >> (8 * m)) & 0xff);

		}
	}

	return 0;
}

谁懂啊，exe输入错误，但是直接交是对的

flag{688ed036-a86a60ce}

no_py

pyc反编译效果不好

用在线工具后发现key和enc在其他文件中，感觉和beginCTF的ezpython一模一样

roulette

基本玩不出的游戏

通过算法识别找到blowfish

7.5的汉化效果好

后来按题目的思路走，修改程序一次完成，应该是自解密，不用解程序会帮我解

HSCCTF{H31L0_My_FR13ND!}

the_wolf_song

能识别但用不上

调试过掉前面的音乐

rc4算法，第一个内存会被初始化

流程在代码的第一行

#^6 -> ^3 -> rc4:HSCCTF{FAKE_FLAG!} -> ^j -> ^fake_flag[i] ^fake_flag[i+1] -> ^j
fake_flag='HSCCTF{FAKE_FLAG!}'
enc=[0xce,0x26,0x9c,0x7,0x48,0xd9,0xfd,0x23,0xba,0x9a,0x40,0xa8,0x2e,0xbd,0xfc,0x77,0xb7,0x5d,0x7e,0x67,0x99,0xfd,0xcd,0x63,0x13,0xa,0x94,0x5b,0x95,0x2c,0x26,0x60,0x1e,0x1e,0xb4,0x30,0x89,0xcf,0xef,0x68]
print(len(enc))
def rc4(data, key):
    S = list(range(256))
    j = 0
    out = []

    for i in range(256):
        j = (j + S[i] + key[i % len(key)]) % 256
        S[i], S[j] = S[j], S[i]

    i = j = 0
    for char in data:
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        out.append(char ^ S[(S[i] + S[j]) % 256])

    return out

# for i in range(len(enc)):
#     enc[i]^=i
for i in range(len(fake_flag)-1):
    enc[i]^=ord(fake_flag[i+1])

for i in range(len(fake_flag)):
    enc[i]^=ord(fake_flag[i])

# for i in range(len(enc)):
#     enc[i]^=i

key=bytes(fake_flag.encode())
decrypted = rc4(enc, key)
#print(decrypted)

flag=''
for i in range(len(decrypted)):
    flag+=chr(decrypted[i]^3^6)
print(flag)
HSCCTF{Welcome_To_Participate_In_HSCCTF}

Android-1

复现来自yuro✌

找到关键函数，murmur3_32 哈希算法，得到一个 32 字节的哈希，作为 key

sm4竟然插件没识别出来？看常数就可以发现

同一插件ida7.7就能识别

hook _Z10murmur3_32PKcjj函数 得到返回值

var func_addr = Module.findExportByName("libmidand.so" , "_Z10murmur3_32PKcjj");
console.log("func addr is ---" + func_addr);
Interceptor.attach(func_addr, {
  onLeave: function(args){
    console.log("enter murmur3_32 retvalue->\n" + hexdump(args));
  }
});

我用的是雷电模拟器，前置步骤网上有，也可以看这个

https://www.yuque.com/u34082223/swqzq3/zdpepl9de1zwz7mw

运行远程frida-server后用frida -U -l 1.js -f MidAnd，一开始找不到MidAnd，用findstr才行

一开始一直报错

在模拟器上输入字符然后点login就好了

再用SM4解密

from gmssl import sm4

enc = bytearray.fromhex("731E133EF76A5CD1EF9626A9947CF4A46CE237B70D4905E921E35E2E7D7A1A74")
"""
               0  1  2  3  4  5  6  7  8  9  A  B  C  D  E  F  0123456789ABCDEF
7f13c97b0d00  c4 83 84 72 b8 e1 60 ba 5d 99 5a 6b e3 67 40 17  ...r..`.].Zk.g@.
7f13c97b0d10  7c 3f 33 21 91 1c fa 54 8f 35 30 73 dd 2b 80 a7  |?3!...T.50s.+..
"""
key1 = bytearray.fromhex("c4838472b8e160ba5d995a6be3674017")
key2 = bytearray.fromhex("7c3f3321911cfa548f353073dd2b80a7")

s = sm4.CryptSM4(padding_mode=sm4.zero_padding)

s.set_key(key1, sm4.SM4_DECRYPT) 
dec = s.crypt_ecb(enc[:16]) 
print(dec.decode(), end="")

s.set_key(key2, sm4.SM4_DECRYPT) 
dec = s.crypt_ecb(enc[16:]) 
print(dec.decode(), end="")
flag{fad1c7e27ec411eebe3a3e4419a1b3cc}  

Crypto

funny