{"id":44,"date":"2026-04-14T15:16:00","date_gmt":"2026-04-14T07:16:00","guid":{"rendered":"https:\/\/www.seekinthevortex.cn\/?p=44"},"modified":"2026-04-14T15:16:00","modified_gmt":"2026-04-14T07:16:00","slug":"2025-dasctf-%e4%b8%8b%e5%8d%8a%e5%b9%b4%e8%b5%9b","status":"publish","type":"post","link":"https:\/\/www.seekinthevortex.cn\/index.php\/2026\/04\/14\/2025-dasctf-%e4%b8%8b%e5%8d%8a%e5%b9%b4%e8%b5%9b\/","title":{"rendered":"2025 DASCTF \u4e0b\u534a\u5e74\u8d5b"},"content":{"rendered":"

EZmac<\/h1>\n
IDA_100004022 = [0x7D, 0x7B, 0x68, 0x7F, 0x69, 0x78, 0x44, 0x78, 0x72, 0x21, 0x74, 0x76, 0x75, 0x22, 0x26, 0x7B, 0x7C, 0x7E, 0x78, 0x7A, 0x2E, 0x2D, 0x7F, 0x2D]\n\nflag = []\n\nj = 57\n\nfor i in range(len(IDA_100004022)):\n    print(chr(IDA_100004022[i] ^ j), end='')\n    j += 1\n \n# DASCTF{83c720da35436cc0}\n<\/code><\/pre>\n
\u867d\u7136\u662fmac,\u4f46\u662f\u6d41\u7a0b\u5f88\u7b80\u5355,\u7528\u4e0d\u4e0a\u52a8\u8c03<\/p>\n
Androidfile<\/h1>\n
\u660e\u6587\u5b57\u7b26\u4e32\u90fd\u901a\u8fc7w.i\u6df7\u6dc6\u3002\u6df7\u6dc6\u903b\u8f91\u662f\u5bf9\u4e24\u4e2a\u5b57\u7b26\u4e32\u5148base64\u89e3\u5bc6\u4e4b\u540e\u5f02\u6216\u5f97\u5230\u503c\u3002<\/p>\n
\u8fd9\u91cc\u770b\u5230\u5bf9\u8f93\u5165\u7684\u5904\u7406\u5c31\u662f\u8c03\u7528\u4e86C \u3002C\u662fAES-CBC str2\u548cstr\u662f\u968f\u673a\u751f\u6210\u7684\uff0c\u4f46\u662f\u901a\u8fc7a_p\u653e\u5728\u4e86\u6700\u540e\u7684\u56de\u663e\u524d\u7f00\u4e0a\uff0c\u6240\u4ee5\u53ef\u4ee5\u6839\u636e\u9898\u76ee\u7ed9\u7684flag\u6570\u636e\u5305\u8fdb\u884c\u590d\u539f\u3002\u4f46\u662f\u8fd9\u91ccstr2\u548cstr\u90fd\u7ecf\u8fc7\u4e86\u4e00\u6b21RSA\u4e5f\u5c31\u662fD\u51fd\u6570\u3002RSA\u7684\u5bc6\u94a5\u4e5f\u7ed9\u6211\u4e86 \u6240\u4ee5\u53ea\u9700\u8981\u6839\u636e\u4ee5\u4e0a\u4fe1\u606f\u83b7\u53d6str2\u548cstr\u4e5f\u5c31\u662fkey\u548civ \u4e4b\u540eAES\u5c31\u53ef\u4ee5\u4e86\u3002<\/p>\n
\u6700\u540e\u7684\u56de\u663e\u4f1a\u52a0\u4e0a\u524d\u7f00a_p\u548c<-encryptinput-> \u6700\u540e\u662f\u5bc6\u6587\u7684base64\u5f62\u5f0f\u3002\u53bb\u770ba_p\u7684\u903b\u8f91<\/p>\n
a_p\u662f\u4e00\u4e2arc4(Base64(input)) key\u662fREVERSE\u786c\u7f16\u7801\u3002\u636e\u6b64\u8fd8\u539f\u5f97\u5230\u7684flag\u6570\u636e\u5305\u5982\u4e0b<\/p>\n
enkey_QMz2qirA80LJiOs30Efl00JsrIv+ZdrM9iB74P\/nCWOrzEemEOaq2lN1\/V5\/rOAoTgBanJO\/Acpo\nokhVIOVdsA==\neniv_hKH\/M\/v8zwVICeWlc652BZk2eA\/c2g0cLpBwvWBVlphiwBBasdn9HPWk7sb\/IaRh8eppZrToUwz6\nf1eomFJkEQ=\n<-encryptinput->UBUSWb+1P3Z\/aokV67e5xQ7eaHoEj3JAeC0XA1RckTWdWZYCB\/+D7qC3Hao74goX\n<\/code><\/pre>\n
\u8fd9\u91cc\u8981\u6ce8\u610fiv\u7684\u957f\u5ea6\u5176\u5b9e\u4e0d\u591f \u9700\u8981\u518d\u6dfb\u52a0\u4e00\u4e2a=\u957f\u5ea6\u624d\u5bf9\u3002\u8fd9\u6837\u5c31\u53ef\u4ee5\u5199\u811a\u672c\u89e3\u5bc6\u4e86\u3002<\/p>\n
import base64\nfrom binascii import hexlify\nfrom Crypto.Cipher import AES\nfrom Crypto.PublicKey import RSA\nfrom Crypto.Util.Padding import unpad\n\nENKEY_B64 = (\n    "QMz2qirA80LJiOs30Efl00JsrIv+ZdrM9iB74P\/nCWOrzEemEOaq2lN1\/V5\/rOAoTgBanJO\/AcpookhVIOVdsA=="\n)\n\nENIV_B64 = (\n    "hKH\/M\/v8zwVICeWlc652BZk2eA\/c2g0cLpBwvWBVlphiwBBasdn9HPWk7sb\/IaRh8eppZrToUwz6f1eomFJkEQ=="\n)\n\n\nC2_B64 = "UBUSWb+1P3Z\/aokV67e5xQ7eaHoEj3JAeC0XA1RckTWdWZYCB\/+D7qC3Hao74goX"\n\nPRIVATE_KEY_B64 = (\n    "MIIBVQIBADANBgkqhkiG9w0BAQEFAASCAT8wggE7AgEAAkEAncB8BH4egqfyJBoVPzGNIuQl\/64e5fl1If+CwtICWoiRV4AMfHuiREB+XlTawJ7QD\/ZJj2wO6sY4sdNhyYcC4QIDAQABAkEAh81Gdg+kcFHoD9AsbkRX\/atuUtcwXkYL4gK2LMThpdEFHIO7Scr+SYfwqmm\/LMtkbojEGEnNoIfmoLvGfhXaAQIhANDWo8OSMSQFnvh129cFiVfYKlS4ec24ixvFD8fUD4SRAiEAwWBuZ3kox1n21AsTAxom+E3z5KUUOSUjPXvG6tZBgVECIDOP2y0tSi6\/qIll6BqFxmxG9eSnC4PMfaQkmonXBOHRAiBmJUPsUGmj8\/eXxknCp7vSCYs9SZ3HGcDlp05Jmed8IQIhAJnE1PNe9lC5OazgRYhSG6bGCTbfFHT6OuwCVIxRSx4P"\n)\ndef load_private_key() -> RSA.RsaKey:\n    der_bytes = base64.b64decode(PRIVATE_KEY_B64)\n    priv_key = RSA.import_key(der_bytes)\n    return priv_key\n\ndef rsa_decrypt_raw_get_last16(cipher_b64: str, label: str, priv_key: RSA.RsaKey) -> bytes:\n    \n    cipher_bytes = base64.b64decode(cipher_b64)\n    \n    n = priv_key.n\n    d = priv_key.d\n    key_size = (n.bit_length() + 7) \/\/ 8  \n\n    c_int = int.from_bytes(cipher_bytes, byteorder="big")\n    m_int = pow(c_int, d, n)\n    m_bytes = m_int.to_bytes(key_size, byteorder="big")\n    last16 = m_bytes[-16:]\n    return last16\ndef aes_cbc_decrypt_b64(cipher_b64: str, key: bytes, iv: bytes) -> str:\n   \n    ct = base64.b64decode(cipher_b64)\n    if len(key) != 16 or len(iv) != 16:\n        raise ValueError(f"AES key\/iv \u957f\u5ea6\u9519\u8bef: key={len(key)}, iv={len(iv)}, \u671f\u671b\u90fd\u662f16\u5b57\u8282")\n\n    cipher = AES.new(key, AES.MODE_CBC, iv)\n    pt_padded = cipher.decrypt(ct)\n    pt = unpad(pt_padded, AES.block_size)\n    return pt.decode("utf-8")\ndef main():\n    \n    priv_key = load_private_key()\n    key1_bytes = rsa_decrypt_raw_get_last16(ENKEY_B64, "ENKEY", priv_key)\n    key2_bytes = rsa_decrypt_raw_get_last16(ENIV_B64, "ENIV", priv_key)\n    plaintext = aes_cbc_decrypt_b64(C2_B64, key1_bytes, key2_bytes)\n    print("\\n[+] \u89e3\u5bc6\u6210\u529f\uff0c\u660e\u6587\u4e3a\uff1a", repr(plaintext))\n   \nif __name__ == "__main__":\n   main()\n#[+] \u89e3\u5bc6\u6210\u529f\uff0c\u660e\u6587\u4e3a\uff1a 'DASCTF{android_encrypto_file_and_plains}'\n<\/code><\/pre>\n
Androidfff<\/h1>\n
blutter\u4e00\u4e0b\uff0c\u76f4\u63a5\u4e22\u53cd\u6c47\u7f16\u7ed9gemini3pro\uff0cai\u811a\u672c\u6ca1\u5199\u5c31\u51fa\u4e86DASCTF{flutter_is_so_easy}<\/p>\n
\u4e0d\u8fc7\u5c31\u662f\u4e00\u4e2a\u5f02\u6216\u4e5f\u7b80\u5355<\/p>\n
\"image.png\"<\/p>\n
Login<\/h1>\n
\u5ba2\u6237\u7aef\u548c\u670d\u52a1\u7aef\u901a\u8fc7\u4e24\u5c42RC4\u5bc6\u94a5\u62d3\u5c55\u7684RC4\u52a0\u5bc6\u901a\u4fe1
\nRSA\u7684\u79c1\u94a5\u786c\u7f16\u7801\u5728\u670d\u52a1\u7aef\u91cc\u9762\u4e86<\/p>\n
\u6807\u51c6 PKCS#7 \u586b\u5145 cbc aes128
\nrsa\u89e3\u5bc6\u51fakey\u548civ\u7136\u540e\u89e3\u5bc6passwd\u5373\u53ef<\/p>\n
\"image.png\"<\/p>\n","protected":false},"excerpt":{"rendered":"
EZmac IDA_100004022 = [0x7D, 0x7B, 0x68, 0x7F, 0x69, 0x […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-44","post","type-post","status-publish","format-standard","hentry","category-uncategorized"],"_links":{"self":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts\/44","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/comments?post=44"}],"version-history":[{"count":1,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts\/44\/revisions"}],"predecessor-version":[{"id":45,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/posts\/44\/revisions\/45"}],"wp:attachment":[{"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/media?parent=44"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/categories?post=44"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.seekinthevortex.cn\/index.php\/wp-json\/wp\/v2\/tags?post=44"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}