2025 BroncoCTF RE wp

Break the Battalion

签到题 ida打开附件 逻辑就是跟0x50异或

密文是brigade

赛博厨子跑一下得到flag

bronco{2"97145}

Reversing for Ophidiophiles

附件给了加密和key 先加在异或

题目描述给了密文 23a326c27bee9b40885df97007aa4dbe410e93
直接写脚本即可

enc = '23a326c27bee9b40885df97007aa4dbe410e93'  
enc_bytes = bytes.fromhex(enc)  
key = 'Awesome!'  
carry = 0  
flag = []  
for i, val in enumerate(enc_bytes):  
    val ^= ord(key[i % len(key)])  
    val -= carry  
    val %= 256  
    flag.append(chr(val))  
    carry += val  
    carry %= 256  
print("".join(flag))
#bronco{charge_away}

theflagishere!

pyc的逆向 找个在线网站反编译一下 直接扔给deepseek跑一下 得到flag

# 计算各个字符函数的结果并调整ASCII值  
def get_flag():  
    flag = [''] * 11  # 假设flag长度为11  
  
    # char_0 → 0号位  
    flag[0] = chr(ord(char_0()) - 1)  
  
    # char_1_4_6 → 1、4、6号位  
    c = chr(ord(char_1_4_6()) - 1)  
    flag[1] = flag[4] = flag[6] = c  
  
    # char_2_5_9 → 2、5、9号位  
    c = chr(ord(char_2_5_9()) - 1)  
    flag[2] = flag[5] = flag[9] = c  
  
    # char_3 → 3号位  
    flag[3] = char_3()  
  
    # char_7 → 7号位  
    flag[7] = chr(ord(char_7()) - 1)  
  
    # char_8 → 8号位  
    flag[8] = chr(ord(char_8()) - 1)  
  
    # char_10 → 10号位  
    flag[10] = chr(ord(char_10()) - 1)  
  
    return ''.join(flag)  
    
# char_0 → 'j' → 'i'  
# char_1_4_6 → '`' → '_'  
# char_2_5_9 → 'b' → 'a'  
# char_3 → 'm'  
# char_7 → 'g' → 'f'  
# char_8 → 'm' → 'l'  
# char_10 → 'h' → 'g'  
  
flag = "i_am_a_flag"  
print(flag)
#bronco{i_am_a_flag}

sus

打开附件 得到的是一堆自定义的宏 将标准的C++关键字和标识符替换为非标准的术语进行混淆

借助AI还原一下原来大概的代码 随后手动修改一下 逻辑大概是cook函数通过调用rando so_rando L high函数对初始化的字符串进行解密 一共解密八次 解密一次恢复一个字符 手动修复一下AI复原的代码 直接运行即可

#include<iostream>

#include<cstdlib>

#include<cmath>

#include<string>

using namespace std;

// 定义 Flag 类

class Flag {

public:

    string flag = "bronco{abcdefgh}";

};

  

// 定义 sigmas 数组

int sigmas[10][4] = {

    {354, 859, 63143, 63863},

    {441, 1117, 1074, 1612},

    {491, 877, 7979, 1331},

    {518, 859, 63143, 63863},

    {204, 859, 631, 6386},

    {197, 967, 223647, 5423434},

    {69, 223, 5632, 4195},

    {226, 1013, 71733, 29271},

    {10, 211, 6314, 6386},

    {504, 599, 7454, 7049}

};

  

// 声明 flag 对象

Flag flag;

  

// rando 函数，用于处理某些数值计算

int rando(int yeet) {

    int giving = 0;

    int bet = 0;

    for (int i = 1; ; i++) {

        if (yeet < pow(10, giving)) {

            break;

        }

        giving += 1;

    }

    yeet *= yeet ;

    if ( giving % 2 == 0 )

    {

        yeet *= 10 ;

    }

    string iykyk;

    for (int bet = 0; yeet > 0; yeet /= 10, bet++) {

        if (bet > giving / 2) {

            if (bet - 1 < giving / 2 + giving) {

                iykyk.insert(0, 1, '0' + yeet % 10);

        }

    }

}

    for (int bet = 0; giving > 0; giving--, bet++) {

        yeet += (iykyk[giving - 1] - '0') * pow(10, bet);

}

    return yeet;

}

//decode函数，用于解密

int decode(int yeet) {

    int giving = 0;

    int bet = 0;

    for (int i = 1; ; i++) {

        if (yeet < pow(10, giving)) {

            break;

        }

        giving += 1;

    }

    yeet *= yeet ;

    if ( giving % 2 == 0 )

    {

        yeet *= 10 ;

    }

    string iykyk = to_string(yeet).substr(giving - 1, giving);

    return stoi(iykyk);

}

// L 函数

int L(int plus,int ratio, int _plus, int blocked) {

    int dubs = (ratio * blocked + _plus) % plus;

    return dubs;

}

  

// high 函数

int high(int key) {

    string cap = to_string(key);

    cap[0] = '0';

    return stoi(cap);

}

  

// cook 函数

int cook(int e, int d[], int period[] = 0) {

    if (period == 0) {

        if (decode(L(d[1], d[2], d[3], d[0])) > 100) {

            if (decode(L(d[1], d[2], d[3], d[0])) == 144) {

                flag.flag[e - 1] = decode(L(sigmas[8][1], sigmas[8][2], sigmas[8][3], sigmas[8][0])) % 335;

            } else if (decode(L(d[1], d[2], d[3], d[0])) == 449) {

                flag.flag[e - 1] = decode(L(sigmas[1][1], sigmas[1][2], sigmas[1][3], sigmas[1][0])) - 30;

            } else {

                flag.flag[e - 1] = decode(L(d[1], d[2], d[3], d[0]));

            }

        } else {

            flag.flag[e - 1] = high(rando(L(d[1], d[2], d[3], d[0]))) + 48;

        }

    } else {

        if (rando(L(period[1], period[2], period[3], period[0])) == 610) {

            flag.flag[e - 1] = rando(L(period[1], period[2], period[3], period[0]));

        } else if (decode(L(d[1], d[2], d[3], d[0])) > 100) {

            if (decode(L(period[1], period[2], period[3], period[0])) > 100) {

                flag.flag[e - 1] = decode(L(d[1], d[2], d[3], d[0])) - decode(L(period[1], period[2], period[3], period[0]));

                if (flag.flag[e - 1] < 100) {

                    flag.flag[e - 1] += 100;

                }

            } else {

                flag.flag[e - 1] = decode(L(d[1], d[2], d[3], d[0])) - rando(L(period[1], period[2], period[3], period[0]));

            }

        }

    }

    return 0;

}

//通过cook函数对原本的flag进行操作 每一次操作修改flag的一个值

int main() {

    cook(rando(361) - 300 + 7, sigmas[0]);

    cook(rando(480) - 300 + 7, sigmas[2]);

    cook(rando(490) - 400 + 7, sigmas[3], sigmas[4]);

    cook(rando(539) - 900 + 7, sigmas[9]);

    cook(rando(557) - 100 + 7, sigmas[1]);

    cook(rando(819) - 700 + 7, sigmas[6]);

    cook(rando(843) - 100 + 7, sigmas[8]);

    cook(rando(906) - 200 + 7, sigmas[7], sigmas[5]);

  

    cout << flag.flag << endl;

  

    return 0;

  

}

//bronco{br4inr0t}

Actual Reversing

题目给了一个elf文件和一个txt 打开txt提取一下数字

-1, -4, 0, -1, 1, 1, 3, 2, 2, 3, 3, 8, 11, 12, 12, 13, 14, 15, 14, 16, 15, 15, 14, 17, 19, 19, 19, 19, 20, 20, 19, 25, 27, 28, 28, 26, 28, 28, 28, 28, 26, 27, 25, 27, 26, 28, 28, 27, 28, 26, 32, 31, 30, 31, 31, 30, 31, 30, 30, 29, 28, 29, 31, 28, 27, 28, 29, 29, 31, 33, 33, 32, 32, 32, 32, 32, 32, 29, 32, 33, 32, 32, 28, 32, 30, 31, 30, 30, 31, 30, 33, 35, 33, 39, 37, 37, 37, 37, 37, 37, 38, 39, 41, 41, 40, 39, 39, 39, 39, 39

随后分析elf文件
计算字符的二进制中表示 1 的个数 且等于108个

随后跟进perscribe函数

就是将输入的字符串的每个字符的每一位 与TRUTH字符串进行比对

直接写z3约束求flag即可

from z3 import *  
  
  
def solve_flag():  
    x_values = [  
        -1, -4, 0, -1, 1, 1, 3, 2, 2, 3, 3, 8, 11, 12, 12, 13, 14, 15, 14, 16,  
        15, 15, 14, 17, 19, 19, 19, 19, 20, 20, 19, 25, 27, 28, 28, 26, 28, 28,  
        28, 28, 26, 27, 25, 27, 26, 28, 28, 27, 28, 26, 32, 31, 30, 31, 31, 30,  
        31, 30, 30, 29, 28, 29, 31, 28, 27, 28, 29, 29, 31, 33, 33, 32, 32, 32,  
        32, 32, 29, 32, 33, 32, 32, 28, 32, 30, 31, 30, 30, 31, 30, 33, 35, 33,  
        39, 37, 37, 37, 37, 37, 38, 39, 41, 41, 40, 39, 39, 39, 39, 39, 39  
    ]  
  
    target_phrase = "Can birds even understand me?"  
  
    bit_positions = [  
        byte_idx * 8 + bit_offset  
        for byte_idx, char in enumerate(target_phrase)  
        for bit_offset in range(8)  
        if (ord(char) >> bit_offset) & 1  
    ]  
  
    solver = Solver()  
  
    flag_bits = [BitVec(f'bit_{i}', 1) for i in range(512)]  
  
    for pos, x in zip(bit_positions, x_values):  
        target_bit = pos - x  
        solver.add(flag_bits[target_bit] == 1)  
  
    solver.add(sum(flag_bits) == 108)  
  
    if solver.check() == sat:  
        model = solver.model()  
  
        flag_bytes = bytearray()  
        for byte_idx in range(64):  
            byte_value = 0  
            for bit_offset in range(8):  
                bit_index = byte_idx * 8 + bit_offset  
                byte_value |= model[flag_bits[bit_index]].as_long() << bit_offset  
            flag_bytes.append(byte_value)  
  
        return flag_bytes.decode('latin-1').strip('\x00')  
    return "No solution found"  
  
print(solve_flag())
#bronco{r3v3r5ed_3n0ugh?}