轩辕杯re-wp

你知道base吗

image-20250519170343421

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#include <stdio.h>
#include <stdint.h>
 
void encrypt (uint32_t* v, uint32_t* k) {
    uint32_t v0=v[0], v1=v[1], sum=0, i;
    uint32_t delta=0x9e3779b9;
    uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];
    for (i=0; i < 32; i++) {
        sum += delta;
        v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
        v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
    }
    v[0]=v0; v[1]=v1;
}
 
void decrypt (uint32_t* v, uint32_t* key) {
    uint32_t v0=v[0], v1=v[1], i;
    uint32_t delta=0x61C88647;
    uint32_t sum = -delta*32;
   
    for (i=0; i<32; i++) {

        v1 -= (key[3] + (v0 >> 5)) ^ (sum + v0) ^ (key[2] + 16 * v0);
        v0 -= (key[1] + (v1 >> 5)) ^ (sum + v1) ^ (*key + 16 * v1);
        sum += 0x61C88647;
    }
    v[0]=v0; v[1]=v1;
}

int main(){
    uint32_t key[4];
   key[0] = 0x12345678;
  key[1] = 0x3456789A;
  key[2] = 0x89ABCDEF;
  key[3] = 0x12345678;

    uint32_t enc[4];
     enc[0] = 0xA92F3865;
    enc[1] = 0x9E60E953;

    
        decrypt(enc,key);
    
    uint8_t *flag;
    flag=(uint8_t *)enc;
    for(int i=0;i<16;i++){
        printf("%x ",flag[i]%128);
    }


}

y0uokTea

image-20250519170434317

image-20250519170607064

image-20250519170746092

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
import struct
from typing import Optional

# 自定义Base32字母表(与C代码中的a3数组完全一致,注意包含'+'和'/')
BASE32_ALPHABET = "gVxwoFhPyT/YM0BKcHe4b8GCUZtlnLW2SJO51IErk+q6vzpamdARX9siND3uQfj7"


# 编码函数(修复索引偏移)
def base32_encode(data: bytes, alphabet: str = BASE32_ALPHABET, padding: bool = False) -> str:
    if not data:
        return ""

    # 验证字母表合法性
    if len(alphabet) != 64 or len(set(alphabet)) != 64:
        raise ValueError("Invalid Base32 alphabet (must be 64 unique characters)")

    encoded = []
    # 每5字节为一组进行处理
    for i in range(0, len(data), 5):
        chunk = data[i:i + 5]
        # 填充字节并记录原始长度
        pad_len = 5 - len(chunk)
        if pad_len > 0:
            chunk += b'\x00' * pad_len

        # 将5字节合并为40位整数(大端序)
        num = int.from_bytes(chunk, byteorder='big')

        # 提取8个5位段(从高位到低位),索引从1开始(对应C代码的+1)
        segments = [(num >> shift) & 0x1F for shift in [35, 30, 25, 20, 15, 10, 5, 0]]
        for seg in segments:
            encoded.append(alphabet[seg + 1])  # 关键修复:索引+1

    # 处理填充字符
    if padding:
        # 计算需要添加的'='数量(每5字节对应8字符,不足补=)
        total_chars = len(data) * 8 // 5 + (1 if len(data) % 5 else 0)
        pad_count = (total_chars * 5 - len(data)) % 5
        if pad_count:
            encoded.extend(['='] * (8 - (len(data) % 5) * 8 // 5))

    return ''.join(encoded)


# 解码函数(修复索引偏移和大小写敏感问题)
def base32_decode(s: str, alphabet: str = BASE32_ALPHABET, strict: bool = False) -> Optional[bytes]:
    # 移除填充并保留大小写敏感性
    s = s.rstrip('=')
    if not s:
        return b''

    # 构建反向映射表(保留大小写敏感)
    dec_table = {char: idx for idx, char in enumerate(alphabet)}

    # 严格模式检查
    if strict:
        if len(s) % 8 not in {0, 2, 4, 5, 7}:
            raise ValueError("Invalid encoded length")
        for char in s:
            if char not in dec_table:
                raise ValueError(f"Invalid character: {char}")

    # 处理每个8字符块
    decoded = bytearray()
    for i in range(0, len(s), 8):
        chunk = s[i:i + 8]
        # 填充缺失字符(用字母表第0个字符填充,对应C代码的a3[0])
        if len(chunk) < 8:
            chunk += alphabet[0] * (8 - len(chunk))

        # 转换为40位整数(注意索引修正)
        num = 0
        for char in chunk:
            num = (num << 5) | (dec_table[char] - 1)  # 关键修复:索引-1

        # 转换为5字节并去除填充
        decoded_bytes = num.to_bytes(5, byteorder='big')
        # 计算实际有效字节数
        if i + 8 > len(s):
            valid_bits = len(s) * 5 - i * 5
            valid_bytes = (valid_bits + 7) // 8
            decoded.extend(decoded_bytes[:valid_bytes])
        else:
            decoded.extend(decoded_bytes)

    return bytes(decoded)


# ---------- 验证测试用例 ----------
if __name__ == "__main__":
    # 原始问题中的目标字符串
    target = "0tCPwtnncFZyYUlSK/4Cw0/echcG2lteBWnG2Ulw0htCYTMW"

    # 编码测试(注意输入需要是bytes)
    original_data = b"Hello Base32!"
    encoded = base32_encode(original_data, padding=True)
    decoded = base32_decode(encoded)

    print(f"Original: {original_data}")
    print(f"Encoded : {encoded}")
    print(f"Decoded : {decoded}")
    print("Match   :", decoded == original_data)
    print("-" * 40)

    # 解码题目中的目标字符串
    decoded_target = base32_decode(target)
    print(f"Target String: {target}")
    print(f"Decoded Bytes: {decoded_target.hex()}")
    print(f"UTF-8 Decoded: {decoded_target.decode('utf-8', errors='replace')}")

无由持一碗,寄与爱茶人

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
#include <stdio.h>
#include <stdint.h>
 
void encrypt (uint32_t* v, uint32_t* k) {
    uint32_t v0=v[0], v1=v[1], sum=0, i;
    uint32_t delta=0x9e3779b9;
    uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];
    for (i=0; i < 32; i++) {
        sum += delta;
        v0 += ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
        v1 += ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
    }
    v[0]=v0; v[1]=v1;
}
 
void decrypt (uint32_t* v, uint32_t* k) {
    uint32_t v0=v[0], v1=v[1], i;
    uint32_t delta=0x9e3779b9;
    uint32_t sum = delta*32;
    uint32_t k0=k[0], k1=k[1], k2=k[2], k3=k[3];
    for (i=0; i<32; i++) {
        v1 -= ((v0<<4) + k2) ^ (v0 + sum) ^ ((v0>>5) + k3);
        v0 -= ((v1<<4) + k0) ^ (v1 + sum) ^ ((v1>>5) + k1);
        sum -= delta;
    }
    v[0]=v0; v[1]=v1;
}

int main(){
    uint32_t key[4];
    key[0] = 1646625;
    key[1] = 164438;
    key[2] = 164439;
    key[3] = 2631985;

    uint32_t enc[6];
    enc[0] = 0xE1D62264;
    enc[1] = 0x2BBC17A2;
    enc[2] = 0x3AA856CA;
    enc[3] = 0x7E38322B;
    enc[4] = 0xBC08EBCF;
    enc[5] = 0x4A04CF6E;

    for(int i=0;i<3;i+=2){
        decrypt(&enc[i],key);
    }
    uint8_t *flag;
    flag=(uint8_t *)enc;
    for(int i=0;i<24;i++){
        printf("%c",flag[i]);
    }


}
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
#include <stdio.h>
#include <stdint.h>
 
void encrypt (uint32_t* v, uint32_t* key) {
    uint32_t v0=v[0], v1=v[1], sum=0, i;
    uint32_t delta=0x9e3779b9;
  
    for (i=0; i < 32; i++) {
      v1 += (((v0 >> 5) ^ (16 * v0)) + v0) ^ (key[sum & 3] + sum);
    sum -= 0x61C88647;
    v0 += (((v1 >> 5) ^ (16 * v1)) + v1) ^ (key[(sum >> 11) & 3] + sum);
    }
    v[0]=v0; v[1]=v1;
}
 
void decrypt (uint32_t* v, uint32_t* key) {
    uint32_t v0=v[1], v1=v[0], i;
    uint32_t delta=0x9e3779b9;
    uint32_t sum = 0xC6EF3720;
  
    for (i=0; i<32; i++) {


       v0 -= (((v1 >> 5) ^ (16 * v1)) + v1) ^ (key[(sum >> 11) & 3] + sum);
        sum += 0x61C88647;
       
    v1 -= (((v0 >> 5) ^ (16 * v0)) + v0) ^ (key[sum & 3] + sum);

    }
    v[0]=v0; v[1]=v1;
}

int main(){
    uint32_t key[4];

    uint32_t enc[4];
    key[0] = 0x15574396;
    key[1] = 0x114514;
    key[2] = 0x5201314;
    key[3] = 0x7355608;
    enc[0] = 0x876E3624;
    enc[1] = 0xA8612878;
    enc[2] = 0x3F089D1C;
    enc[3] = 0x4A250D5C;
    
    for(int i=0;i<4;i+=2){
        decrypt(&enc[i],key);
    }
  
    uint8_t *flag;
    flag=(uint8_t *)enc;
    for(int i=0;i<24;i++){
        printf("%x ",flag[i]);
    }


}

Android

image-20250519185824969

直接搜

image-20250519190152704

image-20250519190224344

image-20250519190233576

image-20250519191111928

image-20250519191427023

hookme

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
Java.perform(function (){

   let MainActivity = Java.use("com.example.hookme.MainActivity");
MainActivity["rc4Encrypt"].implementation = function (input) {
    console.log(`MainActivity.rc4Encrypt is called: input=${input}`);
    let result = this["rc4Encrypt"](input);
    console.log(`MainActivity.rc4Encrypt result=${result}`);
    return result;
};

// let MainActivity = Java.use("com.example.hookme.MainActivity");
MainActivity["hexStringToByteArray"].implementation = function (hex) {
    console.log(`MainActivity.hexStringToByteArray is called: hex=${hex}`);
    let result = this["hexStringToByteArray"](hex);
    console.log(`MainActivity.hexStringToByteArray result=${result}`);
    return result;
};



// let MainActivity = Java.use("com.example.hookme.MainActivity");
MainActivity["hexStringToByteArray"].implementation = function (hex) {
    console.log(`MainActivity.hexStringToByteArray is called: hex=${hex}`);
    let result = this["hexStringToByteArray"](hex);
    console.log(`MainActivity.hexStringToByteArray result=${result}`);
    return result;
};

});

image-20250519192109489

1
2
3
4
5
6
7
8
9
10
11
data=[-91,107,-22,-34,-6,-94,-76,-128,-86,68,-27,-25,-104,-57,-66,98,-127,-5,-11,-80,-73,94,79,-26,-14,-22,44,-61,-123,-69,-102,38,-81,-40,-107,-99,-7,82,-28,-36,97,2,10,4,-47,-2,56,-10,-83,85,82,30,82,-16,-90,27,-72
]
for i in range(len(data)):
    print(data[i]&0xff,end=' ')
print()
print(len("1111111111111111111111111111111111111"))
print(len("flag{ee9fb062624c1e527fab36d"))

enc=[0x66,0x6c,0x61,0x67,0x7b,0x65,0x65,0x39,0x66,0x62,0x30,0x36,0x32,0x36,0x32,0x34,0x63,0x31,0x65,0x35,0x32,0x37,0x66,0x61,0x62,0x33,0x36,0x64,0x10,0xb0,0x40,0xcc,0x60,0x40,0x16,0x78,0x60,0x68]
for i in range(len(enc)):
    print(chr(enc[i]%128),end=' ')

ezbase

image-20250519194433034

封印

flag{REAL_EZ_RC4}

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
import base64
import urllib.parse

# 给定的加密密钥
key = 'HereIsFlagggg'

# 给定的加密字符串
enc = '%C2%8EQ%C2%B5%7D5s%01%C2%B380%C2%95%C3%B2%C3%90%0A%C3%9C%C3%B4i'

# 逆向 URL 编码
cipher = urllib.parse.unquote(enc)

# 逆向 Base64 编码
crypt = base64.b64encode(cipher.encode('utf-8'))
cipher = base64.b64decode(crypt).decode('utf-8')

# RC4 解密函数
def rc4_decrypt(cipher, key):
    s_box = list(range(256))
    j = 0
    for i in range(256):
        j = (j + s_box[i] + ord(key[i % len(key)])) % 256
        s_box[i], s_box[j] = s_box[j], s_box[i]

    res = []
    i = j = 0
    for s in cipher:
        i = (i + 1) % 256
        j = (j + s_box[i]) % 256
        s_box[i], s_box[j] = s_box[j], s_box[i]
        t = (s_box[i] + s_box[j]) % 256
        k = s_box[t]
        res.append(chr(ord(s) ^ k))
    return ''.join(res)

# 解密
flag = rc4_decrypt(cipher, key)
print("Decrypted flag:", flag)

smc

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
import math

def decrypt(encrypted_value):
    discriminant = 20 * encrypted_value - 16
    sqrt_d = math.sqrt(discriminant)
    a = (-2 + sqrt_d) / 10
    return a

# 加密数据(A列和B列)
encrypted_data = [
    (24.8901, 214.004), (1084.19, 6.9605), (89.2101, 454.905), (876.626, 26.338),
    (157.6, 101.152), (9833.2, 88.162), (66.8661, 236.785), (83.6245, 1423.78),
    (939.25, 190.528), (778.304, 14.7445), (589.413, 229.964), (72.4311, 685.25),
    (212.05, 196.738), (261.442, 192.381), (968.241, 10.882), (578.075, 63.1045),
    (157.6, 538.485), (205.28, 647.185), (516.928, 1003.33), (987.11, 724.404),
    (2248, 102.05), (182.002, 451.1), (246.5, 2284.18), (299.565, 132.385),
    (65.2405, 685.25), (591.041, 8), (529.192, 23.9125), (71.8645, 5079.28),
    (87.328, 2178.58), (1230.11, 67.4125), (257.128, 33.058), (125.051, 921.524),
    (504.808, 555.204)
]

# 解密数据
decrypted_data = []
for a, b in encrypted_data:
    decrypted_a = decrypt(a)
    decrypted_b = decrypt(b)
    decrypted_data.append((decrypted_a, decrypted_b))

# 输出结果
print("Decrypted Data:")
print("|      Original A     |      Original B     |")
print("|---------------------|---------------------|")
for a, b in decrypted_data:
    print(f"| {a:18.4f} | {b:18.4f} |")