【奖励已发放】卡饭论坛网络安全夺旗赛第1期

显示全部楼层 · 发表于 2025-1-1 23:35:06

感谢~~

显示全部楼层 · 发表于 2025-1-2 16:24:10

swizzer 发表于 2024-12-31 19:27
坏，那道密码学不会没人做出来吧

对的。我研究了三个小时愣是没有思路。

显示全部楼层 · 发表于 2025-1-2 20:31:38

popk 发表于 2024-11-23 20:49
flag1{dX3$aK2$}
flag2{279446fe308f25cf1b3b84746b5a68bbb3e1445d}
flag3{qJ2sO7sC}

后记
又看看了flag4，0.0，预期flag需要限定第一个字符'f',否则非预期，这里记录一下

代码基本都是让chatgpt写的，AI误我呀0.0

import string
def subset_sum_memo_indices(numbers, target):
memo = {}
def helper(index, target):
if target == 0:
return []
if index == len(numbers) or target < 0:
return None
if (index, target) in memo:
return memo[(index, target)]
# 尝试包含当前数字
with_current = helper(index + 1, target - numbers[index])
if with_current is not None:
memo[(index, target)] = with_current + [index]
return memo[(index, target)]
# 尝试不包含当前数字
without_current = helper(index + 1, target)
memo[(index, target)] = without_current
return without_current
result = helper(0, target)
return result
def set_bits(indices):
result = 0
for index in indices:
result |= (1 << index) # 将第 index 位设置为 1
return result
def decode_flag4(a5, a3):
a1 = []
for value in a5:
pos=subset_sum_memo_indices(a3,value)
v=set_bits(pos)
a1.append(v)
return a1
def recover(a,first=ord('f')):
n = len(a) + 1 # b 的长度比 a 多 1
b = [0] * n
# 假设 b[0] 为未知值，依次计算
b[0] = first#a[0] // 2 # 假设第一个值可以从 a[0] 平分（可能需要调整）
for i in range(1, n - 1):
b[i] = a[i - 1] - b[i - 1]
# 计算最后一个元素
b[n - 1] = a[n - 2] - b[n - 2]
return b
def is_printable_bytes(data):
try:
# 尝试解码为字符串
decoded = data.decode("utf-8")
# 检查是否所有字符都可打印
return decoded.isprintable()
except UnicodeDecodeError:
# 如果解码失败，则不是可打印的
return False
def get_flag4():
table_480788 = [
391141429, 3478124220, 3336047727, 3527421942, 1597786510,
2019990264, 2744862007, 3898825252, 486177504, 184886860,
781690097, 63429722, 1180618910, 1947105626, 1555881410, 2578824499
] # 权重数组
target_4805A8 = [
2290375496, 6377613399, 1851683274, 3008635871, 4955741497,
4493937495, 7933494809, 3313318585, 5587460370, 2681599712,
2618169990, 5354670310, 3407564684, 1851683274, 3862218622,
2290375496, 671064364, 671064364, 3249888863, 4805770273,
2618169990, 5354670310, 6049818905, 3313318585, 2618169990,
5354670310, 2633373371
]
recovered_flag4 = decode_flag4(target_4805A8, table_480788[::-1])
# print("[-]Recovered a1:", bytes(recovered_flag4))
ss=string.printable
for s in ss:
re_flag4=recover(recovered_flag4,ord(s))
bs=bytes(re_flag4)
if is_printable_bytes(bs):
flag4=bs.decode()
print(flag4)
print('----------------------------------------------------------------------------')
print('[#]flag4:\n',flag4,sep='')
if __name__=='__main__':
get_flag4()
'''
em`hzlmbot`dj`ht^b^c`djq`dj~
flag{knapsack_is_a_backpack}
gkbf|jo`qrbbl^jr```abblobbl|
hjce}ip_rqcam]kqa_a`camncam{
iidd~hq^spd`n\lpb^b_d`nmd`nz
----------------------------------------------------------------------------
[#]flag4:
iidd~hq^spd`n\lpb^b_d`nmd`nz
'''
'''
E:\sample\kf\4>E:\sample\kf\4\backpack.exe
Enter flag: em`hzlmbot`dj`ht^b^c`djq`dj~
Congratulations! You got the correct flag~
E:\sample\kf\4>E:\sample\kf\4\backpack.exe
Enter flag: flag{knapsack_is_a_backpack}
Congratulations! You got the correct flag~
E:\sample\kf\4>E:\sample\kf\4\backpack.exe
Enter flag: gkbf|jo`qrbbl^jr```abblobbl|
Congratulations! You got the correct flag~
E:\sample\kf\4>E:\sample\kf\4\backpack.exe
Enter flag: hjce}ip_rqcam]kqa_a`camncam{
Congratulations! You got the correct flag~
E:\sample\kf\4>E:\sample\kf\4\backpack.exe
Enter flag: iidd~hq^spd`n\lpb^b_d`nmd`nz
Congratulations! You got the correct flag~
'''

复制代码

其它记录见附件，

显示全部楼层 · 发表于 2025-1-2 23:47:56

popk 发表于 2025-1-2 20:31
后记
又看看了flag4，0.0，预期flag需要限定第一个字符'f',否则非预期，这里记录一下

原来是在这里的非预期

因为是CTF比赛所以"flag{"作为flag固定的头部格式可以算作已知条件，不然很容易就能想到这题绝对不止一个解。这点的确没在程序里做验证，有点疏忽了

显示全部楼层 · 发表于 2025-1-3 19:44:48

popk 发表于 2025-1-2 20:31
后记
又看看了flag4，0.0，预期flag需要限定第一个字符'f',否则非预期，这里记录一下

感谢活动结束后首个成文的优秀WP，我去给您申请题解奖励

不过，内容具体详实且完整将文章发布到样本区的话奖励会更高

显示全部楼层 · 发表于 2025-1-12 23:46:49

第四题我来个C语言版本的吧....

#include <windows.h>
#include <stdio.h>
#include <stdint.h>
#include <intrin.h>
#include <stdbool.h>
bool findSubset(UINT64* arr, int n, UINT64 target, UINT64* subset, int subsetSize, UINT64* hex)
{
if (target == 0){
for (int i = 0; i < subsetSize; i++){
hex[i] = subset[i];
}
return true;
}
if (n == 0 || target < 0){
return false;
}
subset[subsetSize] = arr[n - 1];
if (findSubset(arr, n - 1, target - arr[n - 1], subset, subsetSize + 1, hex)){
return true;
}
return findSubset(arr, n - 1, target, subset, subsetSize, hex);
}
int main()
{
#define KEY_NUM (ARRAYSIZE(hexNumbers))
UINT64 hexNumbers[] = {
0x99B5BD33, 0x5CBCDDC2, 0x740E795A, 0x465ED09E,
0x3C7DC5A, 0x2E97A4F1, 0x0B05264C, 0x1CFA7AE0,
0x0E8635A24, 0x0A39B4537, 0x78669AF8, 0x5F3C498E,
0x0D2402FF6, 0x0C6D80C6F, 0x0CF4FF6BC, 0x17505835
};
UINT64 target[] = {
0x88845B48, 0x17C22A857, 0x6E5E71CA, 0x0B35423DF,
0x127629D39, 0x10BDC0B57, 0x1D8DF8619, 0x0C57D3AB9,
0x14D09E112, 0x9FD5F6E0, 0x9C0E1A86, 0x13F29C8E6,
0x0CB1B4F8C, 0x6E5E71CA, 0x0E634C77E, 0x88845B48,
0x27FFA12C, 0x27FFA12C, 0x0C1B55E5F, 0x11E723C21,
0x9C0E1A86, 0x13F29C8E6, 0x16898E919, 0x0C57D3AB9,
0x9C0E1A86, 0x13F29C8E6, 0x9CF616BB
};
UINT64 subset[KEY_NUM];
UINT64 hex[KEY_NUM];
int s = 'f';
printf("%c", s);
for (int k = 0; k < ARRAYSIZE(target); ++k){
memset(hex, 0, sizeof(hex));
if (!findSubset(hexNumbers, KEY_NUM, target[k], subset, 0, hex)){
printf("No subset found.\n");
}
int c = 0;
for (int i = 0; i < KEY_NUM; ++i){
for (int j = 0; j < KEY_NUM; ++j){
if (hex[j] == 0)
break;
if (hex[j] == hexNumbers[i])
c |= (1 << (i));
}
}
//printf("[%x]", c);
s = c - s;
if (s < 0x20 || s >= 0x7f)
printf("\n code error %x\n", s);
printf("%c", s);
}
return 0;
}

复制代码

[其他相关] 【奖励已发放】卡饭论坛网络安全夺旗赛第1期

本帖子中包含更多资源

评分

[其他相关] 【奖励已发放】卡饭论坛网络安全夺旗赛 第1期

本帖子中包含更多资源

评分

[其他相关] 【奖励已发放】卡饭论坛网络安全夺旗赛第1期