2025 suctf RE wp

前言：比赛期间只做出两道RE 其他的题目还没有复现 等复现完在写一下其他的wp

SU_BBRE

打开附件 发现密文和密钥 问一下gpt循环了256次 猜测rc4加密 注意小端序

写个脚本解出第一部分flag

def ksa(key):
    S = list(range(256))
    j = 0
    key_length = len(key)
    for i in range(256):
        j = (j + S[i] + key[i % key_length]) % 256
        S[i], S[j] = S[j], S[i]
    return S
def prga(S, length):
    i = j = 0
    keystream = []
    for _ in range(length):
        i = (i + 1) % 256
        j = (j + S[i]) % 256
        S[i], S[j] = S[j], S[i]
        keystream.append(S[(S[i] + S[j]) % 256])
    return keystream

def rc4(key, plaintext):
    S = ksa(key)
    keystream = prga(S, len(plaintext))
    return bytes([p ^ k for p, k in zip(plaintext, keystream)])

key = b"suctf"
ciphertext = [0x2f, 0x5a, 0x57, 0x65, 0x14, 0x8f, 0x69, 0xcd, 0x93, 0x29, 0x1a, 0x55, 0x18, 0x40, 0xe4, 0x5e]
flag1 = rc4(key, ciphertext)
print(flag1)
#b'We1com3ToReWorld'

继续往下看 还有一段密文

跟下标进行相加 中间还有一段栈溢出到fun1

flag=[0x3d,0x22,0x40]  
print(''.join(chr(x)for x in flag))  
flag2 = []  
enc = [0x41, 0x6D, 0x62, 0x4D, 0x53, 0x49, 0x4e, 0x29, 0x28]  
for i, j in enumerate(enc):  
    flag2.append(chr(i+j))  
    print(flag2[i], end='')  
#="@AndPWNT00

拼接起来得到flag
SUCTF{We1com3ToReWorld=”@AndPWNT00}

SU_minesweeper

ida打开附件 逻辑很清晰

首先跟进sub_1277 发现进行了一些字符串的转换
随后看sub_1432函数 主要的逻辑也在这里

有一个400大的数组 20*20 写个脚本提取出来

import idc
import idaapi
import idautils
start_addr = 0x0000000000004020
end_addr = 0x00000000000041AF
data = idc.get_bytes(start_addr, end_addr - start_addr + 1)
if data:
	for byte in data:
		print(f"0x{byte:02X}", end=",")

跟进sub_13C9函数 发现是累加 3*3区域内的值 结果返回总和

sub_1352函数从指定的 (a2, a3) 坐标位置获取位值 通过计算该位置的字节索引和位偏移提取相应的位

flag格式如下

已知这些条件 可以先用z3求出解 随后变换求一下md5即可

import itertools  
from z3 import *  
enc = [0x03, 0x04, 0xFF, 0xFF, 0xFF, 0x05, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x04, 0x04, 0xFF, 0xFF, 0xFF, 0xFF, 0x02, 0xFF,  
       0xFF,  
       0x04, 0xFF, 0x07, 0xFF, 0xFF, 0xFF, 0x04, 0x06, 0x06, 0xFF, 0xFF, 0xFF, 0xFF, 0x06, 0x05, 0x06, 0x04, 0xFF, 0x05,  
       0xFF,  
       0x04, 0x07, 0xFF, 0x08, 0xFF, 0x06, 0xFF, 0xFF, 0x06, 0x06, 0x05, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x03, 0x03, 0xFF,  
       0x03,  
       0xFF, 0x05, 0x06, 0x06, 0xFF, 0xFF, 0xFF, 0xFF, 0x04, 0x05, 0x04, 0x05, 0x07, 0x06, 0xFF, 0xFF, 0x04, 0xFF, 0x02,  
       0x01,  
       0xFF, 0xFF, 0xFF, 0x03, 0x04, 0xFF, 0xFF, 0x05, 0x04, 0x03, 0xFF, 0xFF, 0x07, 0x04, 0x03, 0xFF, 0xFF, 0x01, 0x01,  
       0xFF,  
       0xFF, 0x04, 0x03, 0xFF, 0x02, 0xFF, 0x04, 0x03, 0xFF, 0xFF, 0x02, 0xFF, 0x05, 0x04, 0xFF, 0xFF, 0x02, 0x02, 0xFF,  
       0xFF,  
       0x04, 0xFF, 0x04, 0xFF, 0x03, 0x05, 0x06, 0xFF, 0xFF, 0x00, 0xFF, 0xFF, 0xFF, 0x02, 0xFF, 0xFF, 0xFF, 0x01, 0x04,  
       0xFF,  
       0xFF, 0x07, 0x05, 0xFF, 0xFF, 0x03, 0x03, 0x02, 0xFF, 0xFF, 0x04, 0xFF, 0xFF, 0x05, 0x07, 0xFF, 0x03, 0x02, 0x04,  
       0x04,  
       0xFF, 0x07, 0x05, 0x04, 0x03, 0xFF, 0xFF, 0x04, 0xFF, 0x02, 0x04, 0x05, 0xFF, 0xFF, 0x06, 0x05, 0x04, 0xFF, 0x02,  
       0xFF,  
       0xFF, 0x07, 0x04, 0xFF, 0xFF, 0x03, 0xFF, 0x04, 0x04, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x04, 0x03, 0x02,  
       0x02,  
       0xFF, 0xFF, 0x02, 0x04, 0x03, 0x05, 0xFF, 0xFF, 0x05, 0xFF, 0x04, 0xFF, 0x06, 0xFF, 0xFF, 0x06, 0xFF, 0xFF, 0xFF,  
       0xFF,  
       0x03, 0x03, 0xFF, 0x04, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x06, 0xFF, 0x06, 0x06, 0xFF, 0x07, 0x06, 0x04, 0xFF, 0x04,  
       0x03,  
       0xFF, 0x04, 0x03, 0x05, 0x04, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x04, 0x06, 0x07, 0xFF, 0xFF, 0x04, 0xFF,  
       0xFF,  
       0xFF, 0x07, 0xFF, 0x05, 0xFF, 0x05, 0xFF, 0xFF, 0x06, 0x07, 0x07, 0xFF, 0x05, 0x06, 0x06, 0xFF, 0xFF, 0x02, 0x04,  
       0x04,  
       0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x06, 0xFF, 0xFF, 0x07, 0x07, 0x06, 0xFF, 0x06, 0xFF, 0xFF, 0xFF, 0xFF, 0x03, 0xFF,  
       0x03,  
       0x05, 0xFF, 0x07, 0xFF, 0x05, 0xFF, 0x06, 0xFF, 0x05, 0xFF, 0xFF, 0x07, 0x08, 0xFF, 0xFF, 0x03, 0xFF, 0x03, 0xFF,  
       0xFF,  
       0xFF, 0xFF, 0xFF, 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x06, 0x05, 0x03, 0xFF, 0x04, 0x05, 0x05, 0x03,  
       0xFF,  
       0xFF, 0x06, 0x05, 0x05, 0x06, 0xFF, 0x06, 0x05, 0x02, 0x04, 0x03, 0x04, 0xFF, 0xFF, 0x03, 0x04, 0x04, 0x06, 0x05,  
       0xFF,  
       0x03, 0xFF, 0x05, 0x05, 0x05, 0xFF, 0xFF, 0x05, 0xFF, 0xFF, 0x04, 0xFF, 0xFF, 0x04, 0xFF, 0x07, 0x07, 0x08, 0x06,  
       0xFF,  
       0xFF, 0xFF, 0xFF, 0x05, 0xFF, 0xFF, 0xFF, 0x04, 0xFF, 0x03, 0xFF, 0x03, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x05,  
       0x03]  
  
def get_sum(a1, row, col):  
    if 0 <= row <= 19 and 0 <= col <= 19:  
        return a1[(20 * row + col) // 8] >> ((20 * row + col) & 7) & 1  
  
def check_num(a1, row, col):  
    v5 = 0  
    for i, j in itertools.product([-1, 0, 1], repeat=2):  
        if 0 <= row + i <= 19 and 0 <= col + j <= 19:  
            v5 += get_sum(a1, row + i, col + j)  
    return v5  
  
S = Solver()  
flag = [BitVec(f'flag_{i}', 8) for i in range(50)]  
for i in range(20):  
    for j in range(20):  
        if enc[20 * i + j] != 0xff:  
            S.add(enc[20 * i + j] == check_num(flag, i, j))  
if S.check() == sat:  
    m = S.model()  
    flag_value = ','.join(hex(m[flag[i]].as_long()) for i in range(50))  
    print(flag_value)  
  
c = '5bdb69bfc51e65fbb50b2039218e8007e02c8f8807fe740d1b916d096d6f1b6e597dcc677ba8b63b6f1d1446587d61efec7d'  
a = '0123456789abcdef'  
b = 'abcdef0123456789'  
for i in c:  
    print(b[a.index(i)], end='')  
print()  
import hashlib  
flag = "f57503596fb80f955fa5cad3cb282aa18ac62922a1981ea7b53b07a30709b508f3176601154250d509b7bee0f2170b898617"  
flag_md5 = hashlib.md5(flag.encode()).hexdigest()  
print(flag_md5)
#d661b98e4241de7423ef2d953098329d