今年逆向题目比较多，还挺顺手的，其他题目还算不难，除了babyAnti这题就AK逆向了。这题用的flutter库，研究了好久也完全找不到思路，只好放弃。后来才知道根据题目的名字，预期解就是去掉反作弊的检查，用作弊方法完成的。

RE：confuse_re

代码中有大量的call $+5混淆，ida的F5不好使了，但是还是可以看汇编进入真正的函数，所以没有什么区别。
主函数：

很多字符串都采用异或进行加密

前面是简单的红橙蓝的输入判断：

输入bor进入密码环节，下面是核心判断代码：

密码被分成前16字节和后16字节两部分，第一部分先加密，然后第二部分在和加密结果进行异或并加1：

查看密钥生成和加密的部分，判断为AES加密

但是在AddroundKey函数中又用了0x23进行异或，因此采用脚本进行解密，exp如下：

import re
import binasciiclass Aes:sbox = [0x63, 0x7C, 0x77, 0x7B, 0xF2, 0x6B, 0x6F, 0xC5, 0x30, 0x01, 0x67, 0x2B, 0xFE, 0xD7, 0xAB, 0x76,0xCA, 0x82, 0xC9, 0x7D, 0xFA, 0x59, 0x47, 0xF0, 0xAD, 0xD4, 0xA2, 0xAF, 0x9C, 0xA4, 0x72, 0xC0,0xB7, 0xFD, 0x93, 0x26, 0x36, 0x3F, 0xF7, 0xCC, 0x34, 0xA5, 0xE5, 0xF1, 0x71, 0xD8, 0x31, 0x15,0x04, 0xC7, 0x23, 0xC3, 0x18, 0x96, 0x05, 0x9A, 0x07, 0x12, 0x80, 0xE2, 0xEB, 0x27, 0xB2, 0x75,0x09, 0x83, 0x2C, 0x1A, 0x1B, 0x6E, 0x5A, 0xA0, 0x52, 0x3B, 0xD6, 0xB3, 0x29, 0xE3, 0x2F, 0x84,0x53, 0xD1, 0x00, 0xED, 0x20, 0xFC, 0xB1, 0x5B, 0x6A, 0xCB, 0xBE, 0x39, 0x4A, 0x4C, 0x58, 0xCF,0xD0, 0xEF, 0xAA, 0xFB, 0x43, 0x4D, 0x33, 0x85, 0x45, 0xF9, 0x02, 0x7F, 0x50, 0x3C, 0x9F, 0xA8,0x51, 0xA3, 0x40, 0x8F, 0x92, 0x9D, 0x38, 0xF5, 0xBC, 0xB6, 0xDA, 0x21, 0x10, 0xFF, 0xF3, 0xD2,0xCD, 0x0C, 0x13, 0xEC, 0x5F, 0x97, 0x44, 0x17, 0xC4, 0xA7, 0x7E, 0x3D, 0x64, 0x5D, 0x19, 0x73,0x60, 0x81, 0x4F, 0xDC, 0x22, 0x2A, 0x90, 0x88, 0x46, 0xEE, 0xB8, 0x14, 0xDE, 0x5E, 0x0B, 0xDB,0xE0, 0x32, 0x3A, 0x0A, 0x49, 0x06, 0x24, 0x5C, 0xC2, 0xD3, 0xAC, 0x62, 0x91, 0x95, 0xE4, 0x79,0xE7, 0xC8, 0x37, 0x6D, 0x8D, 0xD5, 0x4E, 0xA9, 0x6C, 0x56, 0xF4, 0xEA, 0x65, 0x7A, 0xAE, 0x08,0xBA, 0x78, 0x25, 0x2E, 0x1C, 0xA6, 0xB4, 0xC6, 0xE8, 0xDD, 0x74, 0x1F, 0x4B, 0xBD, 0x8B, 0x8A,0x70, 0x3E, 0xB5, 0x66, 0x48, 0x03, 0xF6, 0x0E, 0x61, 0x35, 0x57, 0xB9, 0x86, 0xC1, 0x1D, 0x9E,0xE1, 0xF8, 0x98, 0x11, 0x69, 0xD9, 0x8E, 0x94, 0x9B, 0x1E, 0x87, 0xE9, 0xCE, 0x55, 0x28, 0xDF,0x8C, 0xA1, 0x89, 0x0D, 0xBF, 0xE6, 0x42, 0x68, 0x41, 0x99, 0x2D, 0x0F, 0xB0, 0x54, 0xBB, 0x16]s_box = {}ns_box = {   }Rcon = { 1: ['0x01', '0x00', '0x00', '0x00'],2: ['0x02', '0x00', '0x00', '0x00'],3: ['0x04', '0x00', '0x00', '0x00'],4: ['0x08', '0x00', '0x00', '0x00'],5: ['0x10', '0x00', '0x00', '0x00'],6: ['0x20', '0x00', '0x00', '0x00'],7: ['0x40', '0x00', '0x00', '0x00'],8: ['0x80', '0x00', '0x00', '0x00'],9: ['0x1B', '0x00', '0x00', '0x00'],10: ['0x36', '0x00', '0x00', '0x00']}Matrix = [['0x02', '0x03', '0x01', '0x01'],['0x01', '0x02', '0x03', '0x01'],['0x01', '0x01', '0x02', '0x03'],['0x03', '0x01', '0x01', '0x02']]ReMatrix = [['0x0e', '0x0b', '0x0d', '0x09'],['0x09', '0x0e', '0x0b', '0x0d'],['0x0d', '0x09', '0x0e', '0x0b'],['0x0b', '0x0d', '0x09', '0x0e']]plaintext = [[], [], [], []]plaintext1 = [[], [], [], []]subkey = [[], [], [], []]  def __init__(self, key): self.s_box = dict(zip(["0x%02x"%i for i in range(256)], ["0x%02x"%i for i in self.sbox])) self.ns_box = dict(zip(self.s_box.values(), self.s_box.keys()))for i in range(4):for j in range(0, 8, 2):self.subkey[i].append("0x" + key[i * 8 + j:i * 8 + j + 2]) # print(self.subkey)for i in range(4, 44): if i % 4 != 0: tmp = xor_32(self.subkey[i - 1], self.subkey[i - 4],0)self.subkey.append(tmp)else:  # 4的倍数的时候执行tmp1 = self.subkey[i - 1][1:]tmp1.append(self.subkey[i - 1][0])# print(tmp1)for m in range(4):tmp1[m] = self.s_box[tmp1[m]]# tmp1 = self.s_box['cf'] tmp1 = xor_32(tmp1, self.Rcon[i / 4], 0) self.subkey.append(xor_32(tmp1, self.subkey[i - 4],0))# print(self.subkey)def AddRoundKey(self, round): for i in range(4):self.plaintext[i] = xor_32(self.plaintext[i], self.subkey[round * 4 + i],0x23)# print('AddRoundKey',self.plaintext)def PlainSubBytes(self): for i in range(4):for j in range(4):self.plaintext[i][j] = self.s_box[self.plaintext[i][j]]# print('PlainSubBytes',self.plaintext)def RePlainSubBytes(self): for i in range(4):for j in range(4):self.plaintext[i][j] = self.ns_box[self.plaintext[i][j]]def ShiftRows(self): p1, p2, p3, p4 = self.plaintext[0][1], self.plaintext[1][1], self.plaintext[2][1], self.plaintext[3][1]self.plaintext[0][1] = p2self.plaintext[1][1] = p3self.plaintext[2][1] = p4self.plaintext[3][1] = p1p1, p2, p3, p4 = self.plaintext[0][2], self.plaintext[1][2], self.plaintext[2][2], self.plaintext[3][2]self.plaintext[0][2] = p3self.plaintext[1][2] = p4self.plaintext[2][2] = p1self.plaintext[3][2] = p2p1, p2, p3, p4 = self.plaintext[0][3], self.plaintext[1][3], self.plaintext[2][3], self.plaintext[3][3]self.plaintext[0][3] = p4self.plaintext[1][3] = p1self.plaintext[2][3] = p2self.plaintext[3][3] = p3# print('ShiftRows',self.plaintext)def ReShiftRows(self): p1, p2, p3, p4 = self.plaintext[0][1], self.plaintext[1][1], self.plaintext[2][1], self.plaintext[3][1]self.plaintext[3][1] = p3self.plaintext[2][1] = p2self.plaintext[0][1] = p4self.plaintext[1][1] = p1p1, p2, p3, p4 = self.plaintext[0][2], self.plaintext[1][2], self.plaintext[2][2], self.plaintext[3][2]self.plaintext[0][2] = p3self.plaintext[1][2] = p4self.plaintext[2][2] = p1self.plaintext[3][2] = p2p1, p2, p3, p4 = self.plaintext[0][3], self.plaintext[1][3], self.plaintext[2][3], self.plaintext[3][3]self.plaintext[0][3] = p2self.plaintext[1][3] = p3self.plaintext[2][3] = p4self.plaintext[3][3] = p1def MixColumns(self): for i in range(4):for j in range(4):self.plaintext1[i].append(MatrixMulti(self.Matrix[j], self.plaintext[i]))# print('MixColumns',self.plaintext1)def ReMixColumns(self): for i in range(4):for j in range(4):self.plaintext1[i].append(MatrixMulti(self.ReMatrix[j], self.plaintext[i]))def AESEncryption(self, plaintext): self.plaintext = [[], [], [], []]for i in range(4):for j in range(0, 8, 2):self.plaintext[i].append("0x" + plaintext[i * 8 + j:i * 8 + j + 2])self.AddRoundKey(0)for i in range(9):self.PlainSubBytes()self.ShiftRows()self.MixColumns()self.plaintext = self.plaintext1self.plaintext1 = [[], [], [], []]self.AddRoundKey(i + 1)self.PlainSubBytes()self.ShiftRows()self.AddRoundKey(10) return Matrixtostr(self.plaintext)def AESDecryption(self, cipher): self.plaintext = [[], [], [], []]for i in range(4):for j in range(0, 8, 2):self.plaintext[i].append('0x' + cipher[i * 8 + j:i * 8 + j + 2]) # print(self.ns_box)self.AddRoundKey(10)for i in range(9):self.ReShiftRows()self.RePlainSubBytes()self.AddRoundKey(9-i)self.ReMixColumns()self.plaintext = self.plaintext1self.plaintext1 = [[], [], [], []]self.ReShiftRows()self.RePlainSubBytes()self.AddRoundKey(0)return Matrixtostr(self.plaintext)def Encryption(self, text): group = PlaintextGroup(TextToByte(text), 32, 1)# print(group)cipher = ""for i in range(len(group)):cipher = cipher + self.AESEncryption(group[i])return cipherdef Decryption(self, cipher): group = PlaintextGroup(cipher, 32, 0)# print(group)text = ''for i in range(len(group)):text = text + self.AESDecryption(group[i])text = ByteToText(text)return textdef xor_32(start, end, key): a = []for i in range(0, 4):xor_tmp = ""b = hextobin(start[i])c = hextobin(end[i])d = bin(key)[2:].rjust(8,'0')for j in range(8):tmp = int(b[j], 10) ^ int(c[j], 10) ^ int(d[j],10)xor_tmp += str(tmp )a.append(bintohex(xor_tmp))return adef xor_8(begin, end): xor_8_tmp = ""for i in range(8):xor_8_tmp += str(int(begin[i]) ^ int(end[i]))return xor_8_tmpdef hextobin(word): word = bin(int(word, 16))[2:]for i in range(0, 8-len(word)): word = '0'+wordreturn worddef bintohex(word): word = hex(int(word, 2))if len(word) == 4:return wordelif len(word) < 4:return word.replace('x', 'x0')def MatrixMulti(s1, s2): result = []s3 = []for i in range(4):s3.append(hextobin(s2[i])) for i in range(4):result.append(MultiProcess(int(s1[i], 16), s3[i]))for i in range(3):result[0] = xor_8(result[0], result[i+1])return bintohex(result[0])def MultiProcess(a, b): if a == 1:return belif a == 2:if b[0] == '0':b = b[1:] + '0'else:b = b[1:] + '0'b = xor_8(b, '00011011')return belif a == 3:tmp_b = bif b[0] == '0':b = b[1:] + '0'else:b = b[1:] + '0'b = xor_8(b, '00011011')return xor_8(b, tmp_b)elif a == 9:tmp_b = breturn xor_8(tmp_b, MultiProcess(2, MultiProcess(2, MultiProcess(2, b))))elif a == 11:tmp_b = breturn xor_8(tmp_b, xor_8(MultiProcess(2, MultiProcess(2, MultiProcess(2, b))), MultiProcess(2, b)))elif a == 13:tmp_b = breturn xor_8(tmp_b, xor_8(MultiProcess(2, MultiProcess(2, MultiProcess(2, b))), MultiProcess(2, MultiProcess(2, b))))elif a == 14:return xor_8(MultiProcess(2, b), xor_8(MultiProcess(2, MultiProcess(2, MultiProcess(2, b))), MultiProcess(2, MultiProcess(2, b))))def Matrixtostr(matrix): result = ""for i in range(4):for j in range(4):result += matrix[i][j][2:]return resultdef PlaintextGroup(plaintext, length, flag): group = re.findall('.{'+str(length)+'}', plaintext)group.append(plaintext[len(group)*length:])if group[-1] == '' and flag:group[-1] = '16161616161616161616161616161616'elif len(group[-1]) < length and flag:tmp = int((length-len(group[-1])) / 2)if tmp < 10:for i in range(tmp):group[-1] = group[-1] + '0'+str(tmp)else:for i in range(tmp):group[-1] = group[-1] + str(tmp)elif not flag:del group[-1]return groupdef TextToByte(words): text = words.encode('utf-8').hex()return textdef ByteToText(encode): tmp = int(encode[-2:])word = ''for i in range(len(encode)-tmp*2):word = word + encode[i]# print(word)word = bytes.decode(binascii.a2b_hex(word))return word
def xorbytes(bytes1,bytes2):length=min(len(bytes1),len(bytes2))output=bytearray()for i in range(length):output.append(bytes1[i]^bytes2[i])return bytes(output)res='DCDCCC668DF33C15505EEF1646D9D7DF5027447765DCA73968CB7F7B88DD640F'.lower()
key = 'CA9D7FF8A4099004FAD40661E93B775A'.lower()
A1 = Aes(key)
plaintext=A1.AESDecryption(res[:32])
a=bytes.fromhex(plaintext)
b=A1.AESDecryption(res[32:])
b=bytearray(bytes.fromhex(b))
d=bytes.fromhex(res[:32])
for i in range(16):b[i]-=1b[i]^=d[i]
print((a+b).decode())

得到flag：
VNCTF{fa9ad36bd2de1586d944cf7b2935dd91}

RE：PZGalaxy

查看网页js源码，判断是RC4加密，写出计算日期的EXP：

password=bytes.fromhex('a6703adc92c397f31adf8d6412035907b6d4f7735f1d3a494c4358d1b94f998533e0697c')
from Crypto.Cipher import ARC4
for i in range(1,13):for j in range(1,32):arc4 = ARC4.new(('2023%02d%02d'%(i,j)).encode())if b'flag' in arc4.decrypt(password):print('2023%02d%02d'%(i,j))

得到日期：20230127
然后到web上提交得到flag
flag{HitYourSoulAndSeeYouInTheGalaxy}

RE：jijiji

资源里有个shell，会自动启动一个进程，并终止父进程

将shell的资源解密后保存成dump.exe，并可以以如下命令行方式运行：
dump.exe jijiji.exe 16000
核心代码如下：

就是一个魔改的XTEA加密
exp：

import structdef decrypt(rounds, v, k):v0 = v[0]v1 = v[1]delta = 0x88408067x = delta * roundsfor i in range(rounds):x -= deltax = x & 0xFFFFFFFFv1 -= (((v0 << 4) ^ (v0 >> 5)) + v0) ^ (x + k[(x >> 11) & 3])v1 = v1 & 0xFFFFFFFFv0 -= (((v1 << 4) ^ (v1 >> 5)) + v1) ^ (x + k[x & 3]) ^ xv0 = v0 & 0xFFFFFFFFreturn [v0,v1]key = [98, 111, 109, 98]
rounds = 33
res=bytes.fromhex('78F7D4AD32F1D7A690328161A6404A2D115FB0002494D5B6C6BF1B23315B40CD')
#test=b'0123456789abcdef0123456789abcdef'
for i in range(len(res)//8):data=res[i*8:i*8+8]value=struct.unpack('<2I',data)decrypted = decrypt(rounds, value, key)
print(struct.pack('<2I',*decrypted).decode(),end='')

得到flag：
2d326e43eb8fea8837737fc0f50f83f2

WEB：象棋王子

签到题

复制出脚本，直接在控制台运行就好了
flag{w3lc0m3_t0_VNCTF_2023—}

MISC：snake on web

咋看是一个web，但是是wasm的代码，直接逆向分析得到核心逻辑

调试的时候记录数据，然后用脚本恢复flag：

b=b'sfaceratrebumverodolorindolortakimataverou'
a=bytes.fromhex('84fdffff7b02000075020000790200006b020000bbfdffff79020000b7fdffffa0fdffff75020000c0fdffffb7fdffffbcfdffffc8fdffffa7fdffffbafdffffc2fdffffa4fdffffd3fdffffbdfdffff8efdffff85fdffffc2fdffffd0fdffff96fdffffbdfdffffc1fdffffc2fdffffccfdffffd1fdffffa7fdffffc3fdffff8dfdffffbefdffffabfdffffa3fdffff74020000d3fdffffc1fdffffbbfdffffbbfdffff7d02000075020000')
for i in range(len(a)//4-1):data=a[i*4:i*4+4]
print(chr(((0x72^((data[0]^2)-5))+b[i])&0xff),end='')

得到：
flag{8e6ae178-7387-4db2-a788-039a27bd4185}

RE：dll_puzzle

按照题目提示进行调试执行

代码没有符号，需要调试才能看出如MessageBox这种系统函数，大量符号和变量也都在运行时会修改，比如SM4加密用到的Sbox和FK、Key等

注意代码的反调试功能，需要跳过，然后得到正确的解密参数后即可写出脚本（最终的解密居然就是没有魔改的SM4），后面判断结果时采用80个变量的方程组来进行，用Z3求解搞定，最终exp：

from sm4 import SM4Key
from z3 import *
s = Solver()
flag = [BitVec('flag%d' % i, 16) for i in range(80)]for i in range(len(flag)):s.add(And(flag[i]>=0x0,flag[i]<=0xff))
s.add(5 * (flag[1]) + 8 * (flag[0]) == 2669   )
s.add(6 * (flag[1]) + 4 * (flag[2]) == 1402   )
s.add(3 * (flag[3]) + 6 * (flag[2]) == 873    )
s.add(7 * (flag[4]) + 6 * (flag[3]) == 2627   )
s.add(8 * (flag[5]) + 4 * (flag[4]) == 2516   )
s.add(9 * (flag[6]) + 5 * (flag[5]) == 2781   )
s.add(3 * (flag[6]) + 4 * (flag[7]) == 1228   )
s.add(5 * (flag[8]) + 9 * (flag[7]) == 1821   )
s.add(7 * (flag[9]) + 5 * (flag[8]) == 554    )
s.add(6 * (flag[10]) + 9 * (flag[9]) == 825   )
s.add(5 * (flag[11]) + 6 * (flag[10]) == 1857 )
s.add(3 * (flag[11]) + 4 * (flag[12]) == 1627 )
s.add(7 * (flag[13]) + 5 * (flag[12]) == 2279 )
s.add(3 * (flag[14]) + 9 * (flag[13]) == 1974 )
s.add(6 * (flag[15]) + 6 * (flag[14]) == 2382 )
s.add(7 * (flag[15]) + 8 * (flag[16]) == 1903 )
s.add(8 * (flag[17]) + 8 * (flag[16]) == 1336 )
s.add(3 * (flag[18]) + 6 * (flag[17]) == 822  )
s.add(5 * (flag[19]) + 8 * (flag[18]) == 381  )
s.add(3 * (flag[20]) + 5 * (flag[19]) == 823  )
s.add(5 * (flag[21]) + 5 * (flag[20]) == 1680 )
s.add(6 * (flag[21]) + 8 * (flag[22]) == 2116 )
s.add(9 * (flag[23]) + 3 * (flag[22]) == 1059 )
s.add(3 * (flag[23]) + 8 * (flag[24]) == 1314 )
s.add(3 * (flag[25]) + 9 * (flag[24]) == 1641 )
s.add(5 * (flag[25]) + 8 * (flag[26]) == 2148 )
s.add(3 * (flag[27]) + 3 * (flag[26]) == 669  )
s.add(5 * (flag[28]) + 9 * (flag[27]) == 953  )
s.add(5 * (flag[29]) + 7 * (flag[28]) == 1896 )
s.add(3 * (flag[30]) + 3 * (flag[29]) == 1275 )
s.add(5 * (flag[31]) + 7 * (flag[30]) == 2874 )
s.add(9 * (flag[32]) + 6 * (flag[31]) == 1518 )
s.add(7 * (flag[33]) + 5 * (flag[32]) == 1312 )
s.add(6 * (flag[34]) + 5 * (flag[33]) == 2148 )
s.add(9 * (flag[34]) + 8 * (flag[35]) == 2979 )
s.add(3 * (flag[35]) + 4 * (flag[36]) == 476  )
s.add(6 * (flag[37]) + 3 * (flag[36]) == 1047 )
s.add(7 * (flag[38]) + 4 * (flag[37]) == 1488 )
s.add(6 * (flag[39]) + 6 * (flag[38]) == 1320 )
s.add(5 * (flag[40]) + 6 * (flag[39]) == 1784 )
s.add(3 * (flag[41]) + 8 * (flag[40]) == 1994 )
s.add(7 * (flag[42]) + 3 * (flag[41]) == 712  )
s.add(3 * (flag[43]) + 3 * (flag[42]) == 1002 )
s.add(5 * (flag[44]) + 7 * (flag[43]) == 2094 )
s.add(3 * (flag[45]) + 3 * (flag[44]) == 465  )
s.add(5 * (flag[46]) + 6 * (flag[45]) == 1479 )
s.add(3 * (flag[47]) + 6 * (flag[46]) == 1281 )
s.add(7 * (flag[48]) + 4 * (flag[47]) == 1064 )
s.add(3 * (flag[49]) + 4 * (flag[48]) == 985  )
s.add(3 * (flag[50]) + 4 * (flag[49]) == 922  )
s.add(7 * (flag[51]) + 8 * (flag[50]) == 1672 )
s.add(9 * (flag[51]) + 4 * (flag[52]) == 1740 )
s.add(6 * (flag[53]) + 7 * (flag[52]) == 1185 )
s.add(6 * (flag[54]) + 9 * (flag[53]) == 711  )
s.add(4 * (flag[55]) + 4 * (flag[54]) == 256  )
s.add(7 * (flag[56]) + 8 * (flag[55]) == 744  )
s.add(5 * (flag[57]) + 8 * (flag[56]) == 1674 )
s.add(6 * (flag[58]) + 3 * (flag[57]) == 834  )
s.add(3 * (flag[59]) + 4 * (flag[58]) == 348  )
s.add(9 * (flag[59]) + 4 * (flag[60]) == 952  )
s.add(3 * (flag[60]) + 4 * (flag[61]) == 1117 )
s.add(7 * (flag[62]) + 9 * (flag[61]) == 1853 )
s.add(6 * (flag[63]) + 9 * (flag[62]) == 399  )
s.add(3 * (flag[64]) + 6 * (flag[63]) == 1011 )
s.add(6 * (flag[65]) + 9 * (flag[64]) == 3171 )
s.add(8 * (flag[66]) + 8 * (flag[65]) == 1760 )
s.add(7 * (flag[67]) + 7 * (flag[66]) == 861  )
s.add(6 * (flag[68]) + 6 * (flag[67]) == 1710 )
s.add(7 * (flag[68]) + 8 * (flag[69]) == 1578 )
s.add(7 * (flag[70]) + 9 * (flag[69]) == 1280 )
s.add(3 * (flag[71]) + 6 * (flag[70]) == 1134 )
s.add(3 * (flag[72]) + 8 * (flag[71]) == 1003 )
s.add(9 * (flag[72]) + 8 * (flag[73]) == 1345 )
s.add(5 * (flag[74]) + 4 * (flag[73]) == 928  )
s.add(3 * (flag[74]) + 4 * (flag[75]) == 824  )
s.add(6 * (flag[76]) + 8 * (flag[75]) == 1840 )
s.add(9 * (flag[77]) + 7 * (flag[76]) == 1200 )
s.add(3 * (flag[77]) + 8 * (flag[78]) == 2032 )
s.add(5 * (flag[79]) + 5 * (flag[78]) == 1795 )
s.add(7 * (flag[79]) + 8 * (flag[0]) == 2584  )if s.check() != sat:print ("error!")
count=0
while s.check() == sat:m = s.model()count+=1data=[m[flag[i]].as_long() for i in range(80)]for j in range(256):key_data = list(bytes.fromhex('206232332E74762F7946524337685900'))for k in range(len(key_data)):key_data[k]^=(j^0x2a)flag=b''sm4 = SM4Key(bytes(key_data))flag = sm4.decrypt(bytes(data))if checkflag(flag[:10]):print(j,bytes.fromhex(flag.strip(b'\x00').decode()))break

得到TheAnswerToTheUltimateQuestionOfLifeTheUniverseAndEverything值和flag：
42 flag{3f27d7470d8967fd344ec7f1261e64b3}
填入license.ini验证通过：

这题其实在SM4解密的地方卡了好久，后来跟出题人沟通了下，才发现我用的SM4源码有问题，因为参数都是默认的，直接用Cyberchef也能解出来~

VNCTF 2023 部分wp相关推荐

CTFSHOW愚人杯2023 部分wp
web easy_signin url是base64编码后的文件名直接读个index.php 然后查看源码解码base64 easy_ssti 过滤了斜杠,不能访问根目录了,考虑手动拼接一个{{l ...
VNCTF2023 WP
验证码 hint:tuppers 在线工具Tupper's Formula Tools (tuppers-formula.ovh) 把验证码中的数字全部提取出来 1594199391770250354 ...
ctfshow—2023愚人杯wp
ctfshow-2023愚人杯wp 热身热身 100 愚人杯比赛秉承欢乐.有爱.进取的精神在群里师傅热心帮助下,已经开始第三届比赛啦! 欢迎各位师傅参加,希望大家玩的开心,比赛题目可以自由讨论.但 ...
【CTF WriteUp】2023数字中国创新大赛网络数据安全赛道决赛WP(1)
2023数字中国创新大赛网络数据安全赛道决赛WP(1) 比赛感想不多说了,还是菜,各种不会,还得学数据安全题目 Crypto-ddddmm import os from Crypto.Util.n ...
VNCTF 2022 wp web
vnctf InterestingPHP 看见一个rce,第一时间想到蚁剑利用发现phpinfo不行 ?exp=print_r(ini_get_all()); 也可以输出配置信息收集到的disab ...
2023 HGAME网络攻防大赛wp
目录 WEEK1 MISC e99p1ant_want_girlfriend 神秘的海报 Where am I Crypto 兔兔的车票神秘的电话 Be Stream WEEK2 WEEK1 MIS ...
2023 ciscn国赛pwn lojin wp
第一次参加国赛,被队友带飞了,pwn只做出来了四个,1381分,第16名,总体来说还可以在所有题目中,也是拿到了pwn题login的一血话说回来,来详细说一下,这个pwn题的解法首先就是能看到这 ...
2023 贵阳大数据安全精英赛 --- Crypto childrsa wp
文章目录题目解题过程解题代码题目 childrsa.py from Crypto.Util.number import *flag = b'xxx' p = getPrime(512) q = ...
2023 红明谷杯 --- Crypto It Takes Two! wp
题目 from sage.all import * from Crypto.Util.number import * from os import urandom from secret import ...

VNCTF 2023 部分wp