第八届宁波市网络安全大赛reverse-wp

请注意，本文编写于 169 天前，最后修改于 169 天前，其中某些信息可能已经过时。

SEA

题目名称是sea，反过来就是aes

查看代码，有个复制操作，复制的值长度为32，正好符合aes-256 key的长度，赛博厨子一把梭

DASCTF{75aab2560274ae21aa4554b993e658d1}

flower world

程序将输入对每一位进行了各种运算操作和密文进行比较

只需要将这些运算操作提取出来进行逆运算就能还原flag

flag的起始地址为0x407040,按地址递增，提取对该地址进行的运算操作，然后进行逆运算，让ai搓一个脚本

import re

ops_text = """
  byte_40704D -= 120;
  byte_407070 ^= 0x4Fu;
  byte_407055 -= 30;
  ..........
  byte_407051 -= 42;
  byte_407050 ^= 0xD6u;
"""

BASE_FLAG = 0x407040
FLAG_LEN = 40

lines = [ln.strip() for ln in ops_text.strip().splitlines() if ln.strip() and not ln.strip().startswith('#')]

ops = []  # list of (idx, op, val)
for ln in lines:
    m = re.match(r'^byte_([0-9A-Fa-f]+)\s*([+\-^])=\s*(0x[0-9A-Fa-f]+|\d+)u?\s*;', ln)
    if m:
        addr = int(m.group(1), 16)
        op = m.group(2)
        val = int(m.group(3), 0) & 0xFF
        idx = addr - BASE_FLAG
        if 0 <= idx < FLAG_LEN:
            ops.append((idx, op, val))
        continue
    m = re.match(r'^\+\+byte_([0-9A-Fa-f]+)\s*;', ln)
    if m:
        addr = int(m.group(1), 16); idx = addr - BASE_FLAG
        if 0 <= idx < FLAG_LEN: ops.append((idx, '+', 1))
        continue
    m = re.match(r'^--byte_([0-9A-Fa-f]+)\s*;', ln)
    if m:
        addr = int(m.group(1), 16); idx = addr - BASE_FLAG
        if 0 <= idx < FLAG_LEN: ops.append((idx, '-', 1))
        continue
    m = re.match(r'^flag\s*([+\-^])=\s*(0x[0-9A-Fa-f]+|\d+)u?\s*;', ln)
    if m:
        op = m.group(1); val = int(m.group(2), 0) & 0xFF
        idx = 0  # treat as first byte
        ops.append((idx, op, val))
        continue

len_ops = len(ops)
len_ops, ops[:10], ops[-10:]

cipher = bytes([
    0x7F,0x11,0x4A,0x9D,0xA5,0xD5,0x99,0x9F,0xAC,0xD3,
    0xD4,0xBC,0x1A,0x53,0x46,0xF4,0xE7,0x37,0x03,0x60,
    0x17,0xBA,0x67,0xAC,0x09,0xDA,0xA0,0xFB,0x2D,0x8E,
    0xCB,0x11,0x02,0xC4,0x17,0xF7,0x1B,0x8F,0x67,0x52
])
len(cipher)

def invert(op, val):
    if op == '+': return ('-', val)
    if op == '-': return ('+', val)
    if op == '^': return ('^', val)
    raise ValueError(op)

inv_ops = [(i,)+invert(op,v) for (i,op,v) in ops[::-1]]

buf = bytearray(cipher)
for i,op,v in inv_ops:
    if op == '+':
        buf[i] = (buf[i] + v) & 0xFF
    elif op == '-':
        buf[i] = (buf[i] - v) & 0xFF
    elif op == '^':
        buf[i] ^= v

hex_out = buf.hex()
ascii_try = None
try:
    ascii_try = bytes(buf).decode('utf-8')
except Exception as e:
    ascii_try = None

print(hex_out, ascii_try)
#运行结果
#4441534354467b35616333623238373131616163383664613063366634663438396230356539367d 
DASCTF{5ac3b28711aac86da0c6f4f489b05e96}

DASCTF{5ac3b28711aac86da0c6f4f489b05e96}

第八届宁波市网络安全大赛reverse-wp

SEA

flower world

群友靶机-exchange

2025羊城杯初赛部分wp