羊城杯

grand2025-10-122025-10-12

GD1

def decode_binary_string(binary_str):
    result = ""
    for i in range(0, len(binary_str), 12):
        chunk = binary_str[i:i+12]
        if len(chunk) != 12:
            break  # 忽略不完整的12位组
        
        # 分割为4-4-4
        hundreds = chunk[0:4]
        tens = chunk[4:8]
        units = chunk[8:12]
        
        # 转换为十进制
        hundreds_dec = int(hundreds, 2)
        tens_dec = int(tens, 2)
        units_dec = int(units, 2)
        
        # 组合成ASCII码
        ascii_code = hundreds_dec * 100 + tens_dec * 10 + units_dec
        result += chr(ascii_code)
    
    return result

# 原始二进制字符串
a = "000001101000000001100101000010000011000001100111000010000100000001110000000100100011000100100000000001100111000100010111000001100110000100000101000001110000000010001001000100010100000001000101000100010111000001010011000010010111000010000000000001010000000001000101000010000001000100000110000100010101000100010010000001110101000100000111000001000101000100010100000100000100000001001000000001110110000001111001000001000101000100011001000001010111000010000111000010010000000001010110000001101000000100000001000010000011000100100101"

# 解码并打印结果
decoded_message = decode_binary_string(a)
print("Decoded Message:", decoded_message)

‍

chal

import base64
import unicorn


CODE_ADDR = 0x01000000
CODE_SIZE = 0x00200000
BUF_BASE = 0x01201000
BUF_SIZE = 0x00010000
INPUT_OFF = 0x1000
START = CODE_ADDR
END = CODE_ADDR + 0x74

# Register ids observed
REG_PTR = 39
REG_LEN = 43
REG_MODE = 40
REG_STACK = 44


def load_code(path="emu_dump/write_0000_0000000001000000.bin"):
    with open(path, 'rb') as f:
        return f.read()


def f_transform(inp: bytes) -> bytes:
    uc = unicorn.Uc(unicorn.UC_ARCH_X86, unicorn.UC_MODE_64)
    uc.mem_map(CODE_ADDR, CODE_SIZE)
    uc.mem_map(BUF_BASE, BUF_SIZE)
    code = load_code()
    uc.mem_write(CODE_ADDR, code)
    buf_ptr = BUF_BASE + INPUT_OFF
    uc.mem_write(buf_ptr, inp)
    uc.reg_write(REG_PTR, buf_ptr)
    uc.reg_write(REG_LEN, 44)
    uc.reg_write(REG_MODE, 7)
    uc.reg_write(REG_STACK, 18939903)
    uc.emu_start(START, END)
    out = uc.mem_read(buf_ptr, 44)
    return out


def main():
    s = b"A" * 44
    out = f_transform(s)
    print('A*44 ->', base64.b64encode(out).decode())


if __name__ == '__main__':
    main()

import base64
import string
from emu_runner import f_transform

def read_target_b64(path='built_strings.log'):
    with open(path, 'r', encoding='utf-8') as f:
        lines = [line.strip() for line in f if line.strip()]
    matches = [l for l in lines if '=' in l and not l.endswith(':') and not l.isalpha()]
    if not matches:
        raise RuntimeError('target base64 not found')
    return matches[-1]  # 使用最新一行

def compute_influence_map(length=44, base_char='A', delta_char='B'):
    base_in = bytes([ord(base_char)] * length)
    base_out = f_transform(base_in)
    influence = {}
    for i in range(length):
        mutated = bytearray(base_in)
        mutated[i] = ord(delta_char)
        mutated_out = f_transform(bytes(mutated))
        diff_idxs = [j for j in range(len(base_out)) if base_out[j] != mutated_out[j]]
        influence[i] = diff_idxs
    return influence

def main():
    T = base64.b64decode(read_target_b64())
    assert len(T) == 44
    
    # 扩充字符集：大小写字母、数字、常见符号
    charset = list(string.ascii_letters + string.digits + "{}_-.!?$@#%&*+=:/")
    
    # 计算影响映射
    influence = compute_influence_map(length=44)
    mapping = {i: v[0] for i, v in influence.items() if len(v) == 1}
    use_mapping = len(mapping) == 44
    print("Use one-to-one influence mapping:", use_mapping)
    
    baseline = bytearray(b'A' * 44)
    result = ['?'] * 44
    
    for i in range(44):
        # 如果有完整映射，使用映射的输出索引；否则使用同索引
        out_idx = mapping[i] if use_mapping else i
        found = None
        
        for ch in charset:
            baseline[i] = ord(ch)
            out = f_transform(bytes(baseline))
            if out[out_idx] == T[out_idx]:
                found = ch
                break
        
        baseline[i] = ord('A')  # 恢复基线
        result[i] = found or '?'
        print(f"pos {i}: {result[i]}")
    
    candidate = ''.join(result)
    print('Candidate (charset-extended):', candidate)

if __name__ == '__main__':
    main()

‍

ez_py

pyarmor和pyinstaller打包

# Source Generated with Decompyle++
# File: src.py.1shot.seq (Python 3.13)

'__pyarmor_enter_54743__(...)'
cipher = [
    1473,
    3419,
    9156,
    1267,
    9185,
    2823,
    7945,
    618,
    7036,
    2479,
    5791,
    1945,
    4639,
    1548,
    3634,
    3502,
    2433,
    1407,
    1263,
    3354,
    9274,
    1085,
    8851,
    3022,
    8031,
    734,
    6869,
    2644,
    5798,
    1862,
    4745,
    1554,
    3523,
    3631,
    2512,
    1499,
    1221,
    3226,
    9237]

def init(key, key_len):
    '__pyarmor_enter_54746__(...)'
    _var_var_0 = 0
    _var_var_1 = None(list, None(range, 256))
    for _var_var_2 in None(range, 256):
        _var_var_0 = (_var_var_0 + _var_var_1[_var_var_2] + key[_var_var_2 % key_len]) % 256
        _var_var_1[_var_var_2], _var_var_1[_var_var_0] = _var_var_1[_var_var_0], _var_var_1[_var_var_2]
    '__pyarmor_exit_54747__(...)'
    return _var_var_1


def make(box):
    '__pyarmor_enter_54749__(...)'
    _var_var_2 = 0
    _var_var_0 = 0
    _var_var_3 = []
    for _var_var_4 in None(range, 256):
        _var_var_2 = (_var_var_2 + 1) % 256
        _var_var_0 = (_var_var_0 + box[_var_var_2]) % 256
        box[_var_var_2], box[_var_var_0] = box[_var_var_0], box[_var_var_2]
        _var_var_5 = (box[_var_var_2] + box[_var_var_0] + _var_var_4 % 23) % 256
        None(_var_var_3.append, box[_var_var_5])
    '__pyarmor_exit_54750__(...)'
    return _var_var_3

if __name__ == '__main__':
    init.__doc__ = '欢迎来到羊城！\nThe key len is:9'
    make.__doc__ = '    flag = list(b"flag{???}")\n    fuck_key = [1,2,3,4,5,6,7,8,9]\n    __ = [i % 0xff for i in fuck_key]\n    key = make(init(bytes(__), len(__)))\n    for i in range(len(cipher)):\n        _ = fuck_key[i % 9] if i % 2 == 0 else (fuck_key[i % 9] * 2) % 0xFFF\n        flag[i] ^= key[i] + _\n    '
    print(init.__doc__)
exit(0)
exit(0)
'__pyarmor_exit_54744__(...)'

分别进行解包

# Decompiled with PyLingual (https://pylingual.io)
# Internal filename: key.py
# Bytecode version: 3.13.0rc3 (3571)
# Source timestamp: 1970-01-01 00:00:00 UTC (0)

import ast
import types
import sys
o0o0o0 = [105084753, 3212558540, 351342182, 844102737, 2002504052, 356536456, 2463183122, 615034880, 1156203296]

def changli(o0o0o1, o0o0o2, o0o0o3):
    o0o0o4 = 2269471011
    o0o0o5 = o0o0o3 & 4294967295
    o0o0o6 = (o0o0o3 >> 8 ^ 305419896) & 4294967295
    o0o0o7 = (o0o0o3 << 4 ^ 2271560481) & 4294967295
    o0o0o8 = (o0o0o3 >> 12 ^ 2882400000) & 4294967295
    o0o0o9 = o0o0o1 & 4294967295
    o0o0o10 = o0o0o2 & 4294967295
    o0o0o11 = 0
    for _ in range(32):
        o0o0o11 = o0o0o11 + o0o0o4 & 4294967295
        o0o0o9 = o0o0o9 + ((o0o0o10 << 4) + o0o0o5 ^ o0o0o10 + o0o0o11 ^ (o0o0o10 >> 4) + o0o0o6) & 4294967295
        o0o0o10 = o0o0o10 + ((o0o0o9 << 4) + o0o0o7 ^ o0o0o9 + o0o0o11 ^ (o0o0o9 >> 4) + o0o0o8) & 4294967295
    return (o0o0o9, o0o0o10)

def Shorekeeper(o0o0o12):
    o0o0o13 = o0o0o12 >> 16
    o0o0o14 = o0o0o12 & 65535
    return (o0o0o13, o0o0o14)

def Kathysia(o0o0o15, o0o0o16):
    return o0o0o15 << 16 | o0o0o16 + 0

def Phrolova(o0o0o17):
    o0oA = 'Carlotta'
    o0oB = ['o0oC', 'o0oD', 'o0oE', 'o0oF']
    o0oG = []
    o0oG.append(ast.Assign(targets=[ast.Name(id='o0oH', ctx=ast.Store())], value=ast.Constant(305419896)))
    o0oG.append(ast.Assign(targets=[ast.Name(id='o0oI', ctx=ast.Store())], value=ast.BinOp(ast.Name(id='o0oE', ctx=ast.Load()), ast.BitAnd(), ast.Constant(65535))))
    o0oG.append(ast.Assign(targets=[ast.Name(id='o0oJ', ctx=ast.Store())], value=ast.BinOp(ast.BinOp(ast.Name(id='o0oE', ctx=ast.Load()), ast.RShift(), ast.Constant(16)), ast.BitAnd(), ast.Constant(65535))))
    o0oG.append(ast.Assign(targets=[ast.Name(id='o0oK', ctx=ast.Store())], value=ast.BinOp(ast.BinOp(ast.Name(id='o0oE', ctx=ast.Load()), ast.BitXor(), ast.Name(id='o0oF', ctx=ast.Load())), ast.BitAnd(), ast.Constant(65535))))
    # o0oL = ((o0oE >> 8) ^ o0oF) & 0xFFFF
    o0oG.append(ast.Assign(
        targets=[ast.Name(id='o0oL', ctx=ast.Store())],
        value=ast.BinOp(
            ast.BinOp(
                ast.BinOp(ast.Name(id='o0oE', ctx=ast.Load()), ast.RShift(), ast.Constant(8)),
                ast.BitXor(),
                ast.Name(id='o0oF', ctx=ast.Load())
            ),
            ast.BitAnd(),
            ast.Constant(65535)
        )
    ))
    o0oG.append(ast.Assign(targets=[ast.Name(id='o0oM', ctx=ast.Store())], value=ast.BinOp(ast.BinOp(ast.Name(id='o0oH', ctx=ast.Load()), ast.Mult(), ast.BinOp(ast.Name(id='o0oF', ctx=ast.Load()), ast.Add(), ast.Constant(1))), ast.BitAnd(), ast.Constant(4294967295))))
    # o0oN = ((o0oD << 5) + 5) + o0oJ
    o0oG.append(ast.Assign(
        targets=[ast.Name(id='o0oN', ctx=ast.Store())],
        value=ast.BinOp(
            ast.BinOp(
                ast.BinOp(ast.Name(id='o0oD', ctx=ast.Load()), ast.LShift(), ast.Constant(5)),
                ast.Add(),
                ast.Constant(5)
            ),
            ast.Add(),
            ast.Name(id='o0oJ', ctx=ast.Load())
        )
    ))
    o0oG.append(ast.Assign(targets=[ast.Name(id='o0oP', ctx=ast.Store())], value=ast.BinOp(ast.BinOp(ast.Name(id='o0oC', ctx=ast.Load()), ast.Add(), ast.Name(id='o0oN', ctx=ast.Load())), ast.BitAnd(), ast.Constant(65535))))
    # o0oN = ((o0oP << 5) + 5) + o0oL
    o0oG.append(ast.Assign(
        targets=[ast.Name(id='o0oN', ctx=ast.Store())],
        value=ast.BinOp(
            ast.BinOp(
                ast.BinOp(ast.Name(id='o0oP', ctx=ast.Load()), ast.LShift(), ast.Constant(5)),
                ast.Add(),
                ast.Constant(5)
            ),
            ast.Add(),
            ast.Name(id='o0oL', ctx=ast.Load())
        )
    ))
    o0oG.append(ast.Assign(targets=[ast.Name(id='o0oQ', ctx=ast.Store())], value=ast.BinOp(ast.BinOp(ast.Name(id='o0oD', ctx=ast.Load()), ast.Add(), ast.Name(id='o0oN', ctx=ast.Load())), ast.BitAnd(), ast.Constant(65535))))
    o0oG.append(ast.Return(ast.Tuple(elts=[ast.Name(id='o0oP', ctx=ast.Load()), ast.Name(id='o0oQ', ctx=ast.Load())], ctx=ast.Load())))
    o0oU = ast.FunctionDef(name=o0oA, args=ast.arguments(posonlyargs=[], args=[ast.arg(arg=a) for a in o0oB], kwonlyargs=[], kw_defaults=[], defaults=[]), body=o0oG, decorator_list=[])
    o0oV = ast.parse('\ndef _tea_helper_func(a, b, c):\n    magic1 = (a ^ b) & 0xDEADBEEF\n    magic2 = (c << 3) | (a >> 5)\n    return (magic1 + magic2 - (b & 0xCAFEBABE)) & 0xFFFFFFFF\n\ndef _fake_tea_round(x, y):\n    return ((x * 0x9E3779B9) ^ (y + 0x12345678)) & 0xFFFFFFFF\n\n_tea_magic_delta = 0x9E3779B9 ^ 0x12345678\n_tea_dummy_keys = [0x1111, 0x2222, 0x3333, 0x4444]\n').body
    o0oW = ast.Module(body=[o0oU] + o0oV, type_ignores=[])
    ast.fix_missing_locations(o0oW)
    o0oX = compile(o0oW, filename='<tea_obf_ast>', mode='exec')
    o0oY = {}
    exec(o0oX, o0oY)
    if o0oA in o0oY:
        o0o0o17[o0oA] = o0oY[o0oA]
    return None
Phrolova(globals())

def shouan(o0o0o32):
    raise ValueError('需要输入9个key') if len(o0o0o32)!= 9 else None

def jinhsi():
    print('请输入9个数字:')
    try:
        o0o0o46 = input().strip()
        if ',' in o0o0o46:
            o0o0o42 = o0o0o46.split(',')
        if len(o0o0o42)!= 9:
            print('错误: 需要输入9个数')
        return None
    except Exception as o0o0o47:
        print(f'发生错误: {o0o0o47}')
if __name__ == '__main__':
    jinhsi()

ai猛猛分析

cipher = [
    1473, 3419, 9156, 1267, 9185, 2823, 7945, 618, 7036, 2479,
    5791, 1945, 4639, 1548, 3634, 3502, 2433, 1407, 1263, 3354,
    9274, 1085, 8851, 3022, 8031, 734, 6869, 2644, 5798, 1862,
    4745, 1554, 3523, 3631, 2512, 1499, 1221, 3226, 9237
]


def init(key, key_len):
    """RC4密钥调度算法 (KSA)"""
    j = 0
    s = list(range(256))
    for i in range(256):
        j = (j + s[i] + key[i % key_len]) % 256
        s[i], s[j] = s[j], s[i]
    return s


def make(box):
    """改进的RC4伪随机生成算法 (PRGA)"""
    i = 0
    j = 0
    keystream = []
    for k in range(256):
        i = (i + 1) % 256
        j = (j + box[i]) % 256
        box[i], box[j] = box[j], box[i]
        # 关键修改：添加了 k % 23
        keystream_index = (box[i] + box[j] + k % 23) % 256
        keystream.append(box[keystream_index])
    return keystream


def decrypt():
    """解密函数"""
    # 给定的密钥
    fuck_key = [1234, 5678, 9123, 4567, 8912, 3456, 7891, 2345, 6789]

    # 密钥预处理：模255
    processed_key = [i % 0xff for i in fuck_key]
    print(f"处理后的密钥: {processed_key}")

    # 生成RC4密钥流
    s_box = init(bytes(processed_key), len(processed_key))
    keystream = make(s_box)
    print(f"密钥流前10个字节: {keystream[:10]}")

    # 解密
    flag = []
    for i in range(len(cipher)):
        # 计算额外的密钥分量
        if i % 2 == 0:  # 偶数位置
            extra_key = fuck_key[i % 9]
        else:  # 奇数位置
            extra_key = (fuck_key[i % 9] * 2) % 0xFFF

        # 解密公式：flag[i] = cipher[i] ^ (keystream[i] + extra_key)
        decrypted_char = cipher[i] ^ (keystream[i] + extra_key)
        flag.append(decrypted_char)

        print(
            f"位置{i}: cipher={cipher[i]}, keystream={keystream[i]}, extra={extra_key}, result={decrypted_char} ('{chr(decrypted_char) if 32 <= decrypted_char <= 126 else '?'}')")

    # 尝试转换为字符串
    try:
        flag_str = ''.join(chr(c) for c in flag)
        print(f"\n解密结果: {flag_str}")
        return flag_str
    except:
        print(f"\n解密结果(字节): {flag}")
        # 尝试处理可能的编码问题
        printable_chars = []
        for c in flag:
            if 32 <= c <= 126:  # 可打印ASCII字符
                printable_chars.append(chr(c))
            else:
                printable_chars.append(f"\\x{c:02x}")
        print(f"可读形式: {''.join(printable_chars)}")
        return flag


def verify_encryption(flag_str, expected_cipher):
    """验证加密过程"""
    print("\n=== 验证加密过程 ===")

    fuck_key = [1234, 5678, 9123, 4567, 8912, 3456, 7891, 2345, 6789]
    processed_key = [i % 0xff for i in fuck_key]

    # 重新生成密钥流
    s_box = init(bytes(processed_key), len(processed_key))
    keystream = make(s_box)

    # 模拟加密
    flag_bytes = [ord(c) for c in flag_str]
    encrypted = []

    for i in range(len(flag_bytes)):
        if i % 2 == 0:
            extra_key = fuck_key[i % 9]
        else:
            extra_key = (fuck_key[i % 9] * 2) % 0xFFF

        encrypted_char = flag_bytes[i] ^ (keystream[i] + extra_key)
        encrypted.append(encrypted_char)

    print(f"原始flag: {flag_str}")
    print(f"重新加密: {encrypted}")
    print(f"原始密文: {expected_cipher}")
    print(f"验证结果: {'✓ 成功' if encrypted == expected_cipher else '✗ 失败'}")

    return encrypted == expected_cipher


def advanced_decrypt():
    """高级解密 - 处理可能的字符编码问题"""
    print("=== 高级解密模式 ===")

    fuck_key = [1234, 5678, 9123, 4567, 8912, 3456, 7891, 2345, 6789]
    processed_key = [i % 0xff for i in fuck_key]

    s_box = init(bytes(processed_key), len(processed_key))
    keystream = make(s_box)

    decrypted_bytes = []
    for i in range(len(cipher)):
        if i % 2 == 0:
            extra_key = fuck_key[i % 9]
        else:
            extra_key = (fuck_key[i % 9] * 2) % 0xFFF

        # 解密
        decrypted_byte = cipher[i] ^ (keystream[i] + extra_key)

        # 确保在有效字节范围内
        decrypted_byte = decrypted_byte & 0xFF
        decrypted_bytes.append(decrypted_byte)

    print(f"解密字节序列: {decrypted_bytes}")

    # 尝试多种解释方式
    print("\n尝试不同的字符解释:")

    # 1. 直接ASCII
    try:
        ascii_result = ''.join(chr(b) if 32 <= b <= 126 else f'\\x{b:02x}' for b in decrypted_bytes)
        print(f"ASCII解释: {ascii_result}")
    except:
        print("ASCII解释失败")

    # 2. 只取有效ASCII字符
    valid_ascii = ''.join(chr(b) for b in decrypted_bytes if 32 <= b <= 126)
    print(f"有效ASCII字符: {valid_ascii}")

    # 3. 尝试UTF-8
    try:
        utf8_result = bytes(decrypted_bytes).decode('utf-8', errors='ignore')
        print(f"UTF-8解释: {utf8_result}")
    except:
        print("UTF-8解释失败")

    return decrypted_bytes


# === 与1.py集成功能 ===
def integrate_with_1py():
    """与1.py进行集成 - 使用正确的密钥解密flag"""
    print("=== 与1.py集成模式 - 正确解密flag ===")
    
    try:
        # 尝试导入1.py的功能
        import sys
        import os
        sys.path.append(os.path.dirname(os.path.abspath(__file__)))
        
        # 动态导入1.py（避免直接import可能的冲突）
        import importlib.util
        spec = importlib.util.spec_from_file_location("module1", "1.py")
        module1 = importlib.util.module_from_spec(spec)
        spec.loader.exec_module(module1)
        
        # 获取1.py的解密结果 - 这就是正确的密钥
        solution = module1.solve_optimized()
        if solution and len(solution) == 9:
            print(f"从1.py获取的正确密钥: {solution}")
            
            # 根据dara.py的逻辑进行正确解密
            return decrypt_with_correct_key(solution)
        else:
            print("无法从1.py获取有效结果，使用默认解密")
            return decrypt()
            
    except Exception as e:
        print(f"集成1.py时出错: {e}")
        print("回退到原始解密功能")
        return decrypt()


def decrypt_with_correct_key(correct_key):
    """使用从1.py获取的正确密钥进行解密"""
    print(f"使用正确密钥解密: {correct_key}")
    
    # 根据dara.py的文档字符串中的逻辑
    # fuck_key = [1,2,3,4,5,6,7,8,9] (这是固定的)
    # 但实际的密钥应该是从1.py解密出来的结果
    fuck_key = correct_key  # 使用1.py解密出的正确密钥
    
    # 密钥预处理：模255
    processed_key = [i % 0xff for i in fuck_key]
    print(f"处理后的密钥: {processed_key}")

    # 生成RC4密钥流
    s_box = init(bytes(processed_key), len(processed_key))
    keystream = make(s_box)
    print(f"密钥流前10个字节: {keystream[:10]}")

    # 解密 - 根据dara.py的逻辑
    flag = []
    for i in range(len(cipher)):
        # 计算额外的密钥分量 - 按照dara.py的逻辑
        if i % 2 == 0:  # 偶数位置
            extra_key = fuck_key[i % 9]
        else:  # 奇数位置
            extra_key = (fuck_key[i % 9] * 2) % 0xFFF

        # 解密公式：flag[i] = cipher[i] ^ (keystream[i] + extra_key)
        decrypted_char = cipher[i] ^ (keystream[i] + extra_key)
        flag.append(decrypted_char)

        print(f"位置{i}: cipher={cipher[i]}, keystream={keystream[i]}, extra={extra_key}, result={decrypted_char} ('{chr(decrypted_char) if 32 <= decrypted_char <= 126 else '?'}')")

    # 尝试转换为字符串
    try:
        flag_str = ''.join(chr(c) for c in flag)
        print(f"\n正确密钥解密结果: {flag_str}")
        return flag_str
    except:
        print(f"\n正确密钥解密结果(字节): {flag}")
        # 尝试处理可能的编码问题
        printable_chars = []
        for c in flag:
            if 32 <= c <= 126:  # 可打印ASCII字符
                printable_chars.append(chr(c))
            else:
                printable_chars.append(f"\\x{c:02x}")
        print(f"可读形式: {''.join(printable_chars)}")
        return flag


def decrypt_with_custom_key(custom_key):
    """使用自定义密钥进行解密"""
    print(f"使用自定义密钥解密: {custom_key}")
    
    # 确保密钥长度为9
    if len(custom_key) != 9:
        print("密钥长度不正确，使用默认密钥")
        return decrypt()
    
    # 密钥预处理：模255
    processed_key = [i % 0xff for i in custom_key]
    print(f"处理后的密钥: {processed_key}")

    # 生成RC4密钥流
    s_box = init(bytes(processed_key), len(processed_key))
    keystream = make(s_box)
    print(f"密钥流前10个字节: {keystream[:10]}")

    # 解密
    flag = []
    for i in range(len(cipher)):
        # 计算额外的密钥分量
        if i % 2 == 0:  # 偶数位置
            extra_key = custom_key[i % 9]
        else:  # 奇数位置
            extra_key = (custom_key[i % 9] * 2) % 0xFFF

        # 解密公式：flag[i] = cipher[i] ^ (keystream[i] + extra_key)
        decrypted_char = cipher[i] ^ (keystream[i] + extra_key)
        flag.append(decrypted_char)

        print(
            f"位置{i}: cipher={cipher[i]}, keystream={keystream[i]}, extra={extra_key}, result={decrypted_char} ('{chr(decrypted_char) if 32 <= decrypted_char <= 126 else '?'}')")

    # 尝试转换为字符串
    try:
        flag_str = ''.join(chr(c) for c in flag)
        print(f"\n自定义密钥解密结果: {flag_str}")
        return flag_str
    except:
        print(f"\n自定义密钥解密结果(字节): {flag}")
        return flag


def enhanced_decrypt():
    """增强解密功能 - 专注于正确的flag解密"""
    print("=== 增强解密模式 - 专注flag解密 ===")
    
    # 1. 原始密钥解密（作为对比）
    print("1. 使用原始默认密钥:")
    original_result = decrypt()
    print(f"原始密钥结果: {original_result}")
    print()
    
    # 2. 使用1.py的正确密钥解密（这应该是正确的方法）
    print("2. 使用1.py解密出的正确密钥:")
    integrated_result = integrate_with_1py()
    print(f"正确密钥结果: {integrated_result}")
    print()
    
    # 3. 验证是否为有效的flag格式
    def is_valid_flag(result):
        if isinstance(result, str):
            return result.startswith('flag{') and result.endswith('}')
        return False
    
    print("3. 结果验证:")
    results = {
        'original': original_result,
        'correct_key': integrated_result
    }
    
    valid_flags = []
    for method, result in results.items():
        is_valid = is_valid_flag(result)
        print(f"{method}: {result} - {'✓ 有效flag' if is_valid else '✗ 无效'}")
        if is_valid:
            valid_flags.append((method, result))
    
    if valid_flags:
        print(f"\n🎉 找到有效flag: {valid_flags}")
        return valid_flags[0][1]  # 返回第一个有效的flag
    else:
        print("\n❌ 未找到有效的flag格式")
        return integrated_result  # 返回使用正确密钥的结果
    
    return results


if __name__ == "__main__":
    print("开始解密RC4变种密码...")
    print(f"密文长度: {len(cipher)}")
    print(f"密文: {cipher}")
    print()

    # 原有功能保持不变
    print("=== 原始解密功能 ===")
    result = decrypt()
    print()

    # 高级解密
    advanced_result = advanced_decrypt()

    # 如果获得了可读的字符串，进行验证
    if isinstance(result, str) and len(result) == len(cipher):
        verify_encryption(result, cipher)

    print("\n" + "="*50)
    
    # 新增的增强解密功能 - 专注于获取正确的flag
    final_flag = enhanced_decrypt()
    
    print(f"\n🏁 最终flag结果: {final_flag}")
    
    # 如果找到了有效的flag，进行最终验证
    if isinstance(final_flag, str) and final_flag.startswith('flag{') and final_flag.endswith('}'):
        print("✅ 成功解密出有效的flag格式！")
        print(f"🎯 Flag: {final_flag}")
    else:
        print("⚠️  解密结果可能需要进一步处理")

    print("\n解密完成！")

‍

easyTauri

孩子这并不easy

先是拿脚本去解压提取前端资源文件

import brotli
import os

# 读取原始文件内容
file_path = r"D:\桌面\tauri\download (3).dat"
content = open(file_path, "rb").read()
print(len(content))


def find_first_brotli_segment(data: bytes, min_size: int = 10, max_scan: int = 10000):
    """在数据中扫描并返回第一个可成功解压的 Brotli 段 (decompressed, start, end)"""
    data_len = len(data)
    for start in range(data_len - min_size):
        # 限制扫描长度以提高效率
        max_end = min(start + max_scan, data_len)
        for end in range(start + min_size, max_end + 1):
            candidate = data[start:end]
            try:
                decompressed = brotli.decompress(candidate)
                return decompressed, start, end
            except Exception:
                continue
    return None

try:
    # 尝试直接作为完整 Brotli 流解压
    decompressed = brotli.decompress(content)
    open(r"data/dump", "wb").write(decompressed)
    print("✅ 直接解压成功，已写入 dump")
except brotli.error:
    # 回退：扫描文件中的 Brotli 段并解压第一个找到的段
    print("⚠️ 直接解压失败，尝试扫描文件中的 Brotli 段...")
    try:
        result = find_first_brotli_segment(content, min_size=10, max_scan=50000)
        if result:
            decompressed, start, end = result
            open("data/dump", "wb").write(decompressed)
            print(f"✅ 已解压第一个 Brotli 段到 dump，偏移: 0x{start:08X}-0x{end:08X}")
            print(f"   原始大小: {end-start} 字节, 解压大小: {len(decompressed)} 字节")
        else:
            print("❌ 未在文件中找到任何有效的 Brotli 段")
    except Exception as e:
        print(f"❌ 扫描 Brotli 段时出错: {e}")

main.js里面就是rc4和base 但是rc4一直有问题但是后面直接调试前端就可以了

1be551aa06fc51985400f41e53ae500

还有左右脑互博的代码阴曹地府

eb9965c74fa43db6021ee7a30315eb8

输入56个1 获取到往后端发的数据 2THXUDExaWkxR9gxajks5DHRjcrNJSUxMTExMTEx70YxMYAxMTExMTExpDlJ2IqeMTIyMd9RMTE=

得到xor流

后端就是tea和base没什么好说的

#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
基于 weidaima.txt 的精确 Base64 + TEA 解密脚本

特征值/常量来源：
- delta(每轮增量): 0x7E3997B7
- sum 初值（加密时）: 0x7E3997B7（每轮递增）
- 轮数: 32
- k0=0x636C6557, k1=0x74336D4F, k2=0x73757230, k3=0x55615474

说明：
- 文件中实现为 ECB 模式按 8 字节块加密，输出以 _byteswap_ulong 写出（大端序）
- 解密时按 8 字节块处理，输入按大端序解析，sum 从 delta*32 开始每轮递减 delta
"""

import base64
import struct

DELTA = 0x7E3997B7
ROUNDS = 32
K0 = 0x636C6557
K1 = 0x74336D4F
K2 = 0x73757230
K3 = 0x55615474

def tea_decrypt_block_be(block: bytes) -> bytes:
    """解密单个 8 字节块（按大端解析与输出）。"""
    if len(block) != 8:
        raise ValueError("Block size must be 8 bytes")

    v0, v1 = struct.unpack(">2L", block)
    sum_val = (DELTA * ROUNDS) & 0xFFFFFFFF

    for _ in range(ROUNDS):
        # sum_val = (sum_val - DELTA) & 0xFFFFFFFF
        v1 = (v1 - (((v0 << 4) + K2) ^ (v0 + sum_val) ^ ((v0 >> 5) + K3))) & 0xFFFFFFFF
        v0 = (v0 - (((v1 << 4) + K0) ^ (v1 + sum_val) ^ ((v1 >> 5) + K1))) & 0xFFFFFFFF
        sum_val = (sum_val - DELTA) & 0xFFFFFFFF

    return struct.pack(">2L", v0, v1)

def decrypt_ciphertext_b64(cipher_b64: str) -> bytes:
    """对给定 Base64 密文执行解密，返回原始明文字节（可能包含零填充）。"""
    data = base64.b64decode(cipher_b64)
    if len(data) % 8 != 0:
        raise ValueError("Ciphertext length must be a multiple of 8")

    out = bytearray()
    for i in range(0, len(data), 8):
        out += tea_decrypt_block_be(data[i:i+8])
    return bytes(out)

def main():
    cipher = "daF/DkQxixGmzn0aPFW2E2PhM8NabRtLjp6pI+c8TtY3WMuPxfnvlAsp9aluf8noZy/T6Sz9DJg="
    plaintext = decrypt_ciphertext_b64(cipher)

    # 尝试去除可能的零填充
    stripped = plaintext.rstrip(b"\x00")

    print("密文(Base64):", cipher)
    print("解码后长度:", len(base64.b64decode(cipher)), "字节")
    print("解密后十六进制:", plaintext.hex())
    try:
        print("解密后文本(UTF-8):", stripped.decode("utf-8"))
    except Exception:
        print("解密后文本(ASCII):", stripped.decode("ascii", errors="ignore"))

    # 特征值验证：代码中有 "ipc_commandname" 作为字段名与校验上下文
    if b"ipc" in stripped or b"command" in stripped:
        print("✓ 发现特征片段：包含 'ipc' 或 'command'")
    else:
        print("未检测到明显 'ipc'/'command' 片段，可能为其他明文字段值或二进制数据")

if __name__ == "__main__":
    main()