古典密码

1
AnU7NnR4NassOGp3BDJgAGonMaJayTwrBqZ3ODMoMWxgMnFdNqtdMTM9

猜测是 Base64,但是直接使用常用字母表无法正确解码,猜测还有前置步骤。尝试了常见古典加密方式后发现为 AtBash 埃特巴什码,转换后得到:

1
ZmF7MmI4MzhhLTk3YWQtZTlmNzQzbGdiYjA3LWNlNDctNmUwMjgwNGN9

可以正常进行 Base64 解码,得到:

1
fa{2b838a-97ad-e9f743lgbb07-ce47-6e02804c}

判断为栅栏密码,解密后得到 flag:

Screenshot-202405191401

火锅链观光打卡

按照题目要求,在浏览器上安装 MetaMask 插件并创建一个钱包,然后通过网页连接到火锅链。领取空投后进行游戏,回答足够多的问题即可集齐所需的食材,兑换 NFT 即可获得 flag。

Screenshot-202405191229
Screenshot-202405191230

asm_re

从主函数往下跟可以发现变换部分,变换完后会和一组数据(unk_100003F10)进行比较:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
__text:0000000100003C7C                               loc_100003C7C; CODE XREF: _main+BC↑j
__text:0000000100003C7C A9 03 50 F8                   LDUR            X9, [X29,#var_100]
__text:0000000100003C80 A8 03 54 F8                   LDUR            X8, [X29,#var_C0]
__text:0000000100003C84 AA 43 92 B8                   LDURSW          X10, [X29,#var_DC]
__text:0000000100003C88 08 69 EA 38                   LDRSB           W8, [X8,X10]
__text:0000000100003C8C A8 03 12 B8                   STUR            W8, [X29,#var_E0]
__text:0000000100003C90 A8 03 52 B8                   LDUR            W8, [X29,#var_E0]
__text:0000000100003C94 0A 0A 80 52                   MOV             W10, #0x50 ; 'P'
__text:0000000100003C98 08 7D 0A 1B       { * 0x50 => MUL             W8, W8, W10      }
__text:0000000100003C9C 08 51 00 11       { + 0x14 => ADD             W8, W8, #0x14    }
__text:0000000100003CA0 AA 09 80 52                   MOV             W10, #0x4D ; 'M'
__text:0000000100003CA4 08 01 0A 4A       { ^ 0x4D => EOR             W8, W8, W10      }
__text:0000000100003CA8 08 79 00 11       { + 0x1E => ADD             W8, W8, #0x1E    }
__text:0000000100003CAC A8 C3 11 B8                   STUR            W8, [X29,#var_E4]
__text:0000000100003CB0 A8 C3 51 B8                   LDUR            W8, [X29,#var_E4]
__text:0000000100003CB4 AA 43 92 B8                   LDURSW          X10, [X29,#var_DC]
__text:0000000100003CB8 28 79 2A B8                   STR             W8, [X9,X10,LSL#2]
__text:0000000100003CBC 01 00 00 14                   B               loc_100003CC0

由于前后字符互不影响,直接将所有可打印字符进行相应的处理后作为字典逆向查找解 flag:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
from string import printable

table = {}
for char in printable:
    cipher = ord(char) * 0x50
    cipher = cipher + 0x14
    cipher = cipher ^ 0x4D
    cipher = cipher + 0x1E
    table[cipher] = char

expected = [[0xD7, 0x1F], [0xB7, 0x21], [0x47, 0x1E], [0x27, 0x20], [0xE7, 0x26], [0xD7, 0x10], [0x27, 0x11], [0x7, 0x20], [0xC7, 0x11], [0x47, 0x1E], [0x17, 0x10], [0x17, 0x10], [0xF7, 0x11], [0x7, 0x20], [0x37, 0x10], [0x7, 0x11], [0x17, 0x1F], [0xD7, 0x10], [0x17, 0x10], [0x17, 0x10], [0x67, 0x1F], [0x17, 0x10], [0xC7, 0x11], [0xC7, 0x11], [0x17, 0x10], [0xD7, 0x1F], [0x17, 0x1F], [0x7, 0x11], [0x47, 0xF], [0x27, 0x11], [0x37, 0x10], [0x47, 0x1E], [0x37, 0x10], [0xD7, 0x1F], [0x7, 0x11], [0xD7, 0x1F], [0x7, 0x11], [0x87, 0x27]]

for value in expected:
    cipher = int.from_bytes(value, 'little')
    print(table[cipher], end='')
print()

This article is authored by Luoingly and is licensed under CC BY-NC 4.0

Permalink: https://luoingly.top/post/ciscn-2024-quals-writeup/