0xGame 2024 WriteUp

Misc

Happy 1024!

AI搜索关键词

1
2
3

根据搜索结果，同时包含“star”、“boat”、“dream”、“water”、“sky”这些元素的诗词是元代诗人唐珙的《题龙阳县青草湖》中的名句：“醉后不知天在水，满船清梦压星河。”

这句诗描绘了诗人醉卧扁舟，仰望星空，感受着梦境与现实交融的奇妙体验。诗中的“天在水”指的是天上的银河映照在水中，而“满船清梦压星河”则形容了诗人的梦境如同满载的船只，沉沉地压在了璀璨的星河之上。这句诗通过对自然景象的描绘，表达了诗人对梦境的留恋以及对现实的失意与失望。

Crypto

ECC-DH

共享密钥等于其中一方的私钥乘以另一方的公钥

a = 10809567548006703521
b = 9981694937346749887
p = 25321837821840919771
E = Curve(a, b, p)

findProof.main()
G_x = int(input("[+] Give me the G_x\n> "))
G_y = int(input("[+] Give me the G_y\n> "))
G = Point(G_x, G_y, E)
print(f"[+] Share_G : {G}")

b = randint(1, E.p)  # Bob's private key
B = b * G  # Bob's public key
print(f"[+] Bob_PubKey : {B}")

A_x = int(input("[+] Give me the Alice_PubKey.x\n> "))
A_y = int(input("[+] Give me the Alice_PubKey.y\n> "))
A = Point(A_x, A_y, E)  # Alice's Public Key
print(f"[+] Alice_PubKey : {A}")

Share_Key = b * A
Cipher = AES.new(MD5(Share_Key.x), AES.MODE_ECB)
pt = Cipher.decrypt(bytes.fromhex(input("[+] Give me the ciphertext\n> ")))
print(f"[+] Bob get the flag : {pt.decode()}")

┌──(root㉿Spreng)-[~]
└─# nc 118.195.138.159 10004
[+] sha256(XXXX+htC8hwrveKHEj447) == ffd95f4724211f4be013a17cad0d77c7914cd1cbc0f5200aa57f3bbc1d3de00c
[+] Plz tell me XXXX: DLrg
[+] Share G : (22565311448306005908,1397916078140553774)
[+] Alice_PubKey : (9250488053827849960,15122360881016255980)
[+] Give me the Bob_PubKey.x
> 10333552860092078375
[+] Bob_PubKey : (10333552860092078375,11655164729158644779)
[+] Alice tell Bob : c06e8014b5e95178c688f177d0c28194a742fb67c042a34a9c08ece27e2670780ed81630a3cecaf3df343eeea32d2116

请输入proof: htC8hwrveKHEj447
请输入target_hash: ffd95f4724211f4be013a17cad0d77c7914cd1cbc0f5200aa57f3bbc1d3de00c[+] sha256(XXXX+htC8hwrveKHEj447) == ffd95f4724211f4be013a17cad0d77c7914cd1cbc0f5200aa57f3bbc1d3de00c
找到的XXXX是: DLrg
[+] Give me the G_x
> 22565311448306005908
[+] Give me the G_y
> 1397916078140553774
[+] Share_G : (22565311448306005908,1397916078140553774)
[+] Bob_PubKey : (10333552860092078375,11655164729158644779)
[+] Give me the Alice_PubKey.x
> 9250488053827849960
[+] Give me the Alice_PubKey.y
> 15122360881016255980
[+] Alice_PubKey : (9250488053827849960,15122360881016255980)
[+] Give me the ciphertext
> c06e8014b5e95178c688f177d0c28194a742fb67c042a34a9c08ece27e2670780ed81630a3cecaf3df343eeea32d2116
[+] Bob get the flag : 0xGame{71234da9-baf8-406e-9cc7-d08ceedea945}

ECC-baby

用sage计算

from sage.all import *

p = 4559252311
a = 1750153947
b = 3464736227
E = EllipticCurve(GF(p),[a,b])
G = E(2909007728, 1842489211)
P = E(1923527223, 2181389961)
G_= E(1349689070,1217312018)
C = E(662346568,2640798701)

n = E.order()

factors = factor(n)
print(factors)  # 2^2 * 1139828071

result = []
factors = [4, 1139828071] #  
for f1 in factors:
    t = n //f1
    res = discrete_log(t*P,t*G,operation='+')
    result  += [res]

print(result)  # [3, 530591416]
k = crt(result,factors)
print(k)  # 1670419487

k = 1670419487
M = C - G_ * k
print(M)  # (944662661 : 635214115 : 1)

from Crypto.Cipher import AES
from hashlib import md5


def MD5(m):
    return md5(str(m).encode()).digest()


k = 1670419487
M_x = 944662661  # M = C - G_ * k = (944662661 : 635214115 : 1)
Cipher = AES.new(MD5(M_x), AES.MODE_ECB)
enc = "29bb47e013bd91760b9750f90630d8ef82130596d56121dc101c631dd5d88201a41eb3baa5aa958a6cd082298fc18418"
enc = bytes.fromhex(enc)
flag = Cipher.decrypt(enc)
print(flag.decode())  # 0xGame{0b0e28c2-b36d-d745-c0be-fcf0986f316a}

EzLogin-I

使用CBC字节翻转攻击：规定密文为C（已知），解密后的密文为B（未知），原来的明文为P（已知），他们满足 $IV \oplus B=P$ ，现在可以篡改IV， $IV'=P \oplus IV \oplus P'$ 使得 $IV'\oplus B =P \oplus IV \oplus P'\oplus B=P'$ ，这样就能篡改cookie。

#!/usr/local/bin/python
from base64 import b64encode, b64decode
from datetime import datetime
import json


def pad(data: bytes):
    l = 16 - len(data) % 16  # PCKS7 padding length
    return data + bytes([l] * l)


def main():
    data = input("[+] Enter your cookie:\n>").strip()
    data = b64decode(data.encode())
    IV, C = data[:16], data[16:]  # 已知密文
    # {"username": "A
    # mqP7rMoHp/NewIwl AOhBvwHRXLTEl9MYRwo4sDjhYSTIB/xRv835m+T4Jc19BYU5SgZRvtronSEn4BA+rYCPRA==

    now = datetime.now()
    t = int(datetime.timestamp(now))
    for i in range(5, 15):
        time = t - i
        cookie = {}
        cookie["username"] = "admin"
        cookie["time"] = time
        P_ = pad(json.dumps(cookie).encode())  # 目标明文

        cookie = {}
        cookie["username"] = "Admin"
        cookie["time"] = time
        P = pad(json.dumps(cookie).encode())  # 已知明文
        print(forge(P, P_, C, IV))


def forge(P, P_, C, IV):
    P = bytearray(P)
    P_ = bytearray(P_)
    IV = bytearray(IV)
    IV[14] = P_[14] ^ IV[14] ^ P[14]
    IV = bytes(IV)
    return b64encode(IV + C).decode()


if __name__ == "__main__":
    main()

┌──(root㉿Spreng)-[~]
└─# nc 118.195.138.159 10005
+--------------+
| [R] Regist   |
| [L] Login    |
| [F] Getflag  |
+--------------+

[+] Tell me your choice:
>R
[+] username:
>Admin
[+] cookie : O1yW3bpyePzOQVVAlHCrL7hO3jLlKV/BxQa6j5F36V8X1r6Ugng7FvRinuy2km8xGGanhUQLLm/2/AW6shCFjg==
[+] Tell me your choice:
>L
[+] cookie:
>O1yW3bpyePzOQVVAlHCLL7hO3jLlKV/BxQa6j5F36V8X1r6Ugng7FvRinuy2km8xGGanhUQLLm/2/AW6shCFjg==
[+] Here is flag1 : b'0xGame{ad34acff-a813-4bc3-a44a-c270edf244b7}'
[+] Tell me your choice:
>

1
2
3

[+] Enter your cookie:
> O1yW3bpyePzOQVVAlHCrL7hO3jLlKV/BxQa6j5F36V8X1r6Ugng7FvRinuy2km8xGGanhUQLLm/2/AW6shCFjg==
O1yW3bpyePzOQVVAlHCLL7hO3jLlKV/BxQa6j5F36V8X1r6Ugng7FvRinuy2km8xGGanhUQLLm/2/AW6shCFjg==

EzLogin-II

PaddingOracleAttack：与CBC翻转攻击类似，依然是 $IV \oplus B=P$ ，只不过这次的P是未知的，由于unpad过程有报错提示，可以据此判断P的情况。对B的对应字节进行枚举，例如枚举最后一个字节，当 $P'=0x00或0x01$ 时，提示JSON Wrong，否则提示Unkown Wrong，一般希望得到的是 $P'=0x01$ ，这样就可以反推出B和P。枚举其他字节时，利用前面字节确定的B就可以定向控制P。

#!/usr/local/bin/python
from base64 import b64encode, b64decode
from Crypto.Cipher import AES
from datetime import datetime
from os import urandom
import json
from time import sleep
from pwn import *


KEY = urandom(16)
flag2 = "0xGame{c0ngr4t1ng_w1th_c0d3_4r3_1n_th3_w0rld}"  # 32 <= length < 48
ip = "118.195.138.159"
port = 10005
io = remote(ip, port)


def pad(data: bytes):
    l = 16 - len(data) % 16  # PCKS7 padding length
    return data + bytes([l] * l)


def unpad(data: bytes):
    for i in range(1, data[-1] + 1):
        if data[-1] != data[-i]:
            print("Unpad error")
    return data[: -data[-1]]


def encrypt(data):
    IV = urandom(16)
    ENC = AES.new(KEY, AES.MODE_CBC, IV)
    result = ENC.encrypt(pad(data.encode()))
    return b64encode(IV + result).decode()


def decrypt(data):
    data = b64decode(data)
    IV, C = data[:16], data[16:]
    DEC = AES.new(KEY, AES.MODE_CBC, IV)
    result = DEC.decrypt(C)
    return unpad(result).decode()


def login(data):
    data = data.encode()
    data = b64decode(data)
    IV, C = data[:16], data[16:]
    DEC = AES.new(KEY, AES.MODE_CBC, IV)
    data = DEC.decrypt(C)
    if data[-1] > 16:
        return False
    for i in range(1, data[-1] + 1):
        if data[-1] != data[-i]:
            return False
    return True


def main():
    # data = input("[+] Enter your cookie:\n>").strip()

    # 输出F
    io.sendlineafter(b"Tell me your choice:\n>", b"F")
    # 接收flag2
    data = io.recvuntil(b"\n", drop=True).decode().strip()
    data = data.split("Here is flag2 :")[1].strip()
    print(f"[+] Here is flag2: {data}")
    data = b64decode(data.encode())
    # 输出L
    io.sendlineafter(b"Tell me your choice:\n>", b"L")

    P = bytearray(0)
    for i in range(1, 3):
        P += explode(data, i)
        print(P)
    P = bytes(P).decode()
    print(P)  # 0xGame{6e02937e-634d-4f6f-8ef6-e5f387006cde}


def explode(data: bytes, block_num: int) -> bytearray:
    P = bytearray(16)  # 记录明文
    B = bytearray(16)  # 记录初步解密的块
    for i in range(1, 17):
        print("            ", end="\r")
        print(round(100 * (i - 1 + block_num * 16) / 48, 2), "%", end="\r")
        for byte in range(256):
            IV_ = bytearray(16)
            if block_num == 0:
                IV = data[:16]
                for j in range(16):
                    IV_[j] = IV[j]
                for j in range(1, i):
                    IV_[-j] = B[-j] ^ i
                IV_[-i] = byte
                IV_ = bytes(IV_)
                data_ = IV_ + data[16:32]
            elif block_num == 1:
                IV = data[16:32]
                for j in range(16):
                    IV_[j] = IV[j]
                for j in range(1, i):
                    IV_[-j] = B[-j] ^ i
                IV_[-i] = byte
                IV_ = bytes(IV_)
                data_ = IV_ + data[32:48]
            elif block_num == 2:
                IV = data[32:48]
                for j in range(16):
                    IV_[j] = IV[j]
                for j in range(1, i):
                    IV_[-j] = B[-j] ^ i
                IV_[-i] = byte
                IV_ = bytes(IV_)
                data_ = IV_ + data[48:64]
            else:
                return None
            if put(b64encode(data_)):
                B[-i] = IV_[-i] ^ i
                P[-i] = IV[-i] ^ B[-i]
                break
    return P


def put(try_data):
    # 输出try_data
    io.sendlineafter(b"cookie:\n>", try_data)
    # 接受信息
    response = io.recvline()
    if b"Unkown Wrong" in response:
        return False
    else:
        print(response)
        return True

    # if login(try_data):
    #     return True
    # else:
    #     return False


if __name__ == "__main__":
    main()

LLL-I

先用LLL还原，正交矩阵会被约掉

mt = matrix(ZZ, 0, 4)
mt = mt.stack(
    vector(
        [
            1849784703482951012865152264025674575,
            2664848085955925754350117767673627932,
            2099783527396520151610274180590854166,
            1020558595577301617108111920545804527,
        ]
    )
)
mt = mt.stack(
    vector(
        [
            1207449566811121614020334020195802372,
            1954621976999112878661150903673543232,
            1326050406731534201574943690688237338,
            1361813208094227445768111591959011963,
        ]
    )
)
mt = mt.stack(
    vector(
        [
            888810907577479776819993141014777624,
            1216302736807928240875874427765340645,
            1027359437421599069599327712873719567,
            238961447144792739830554790892164336,
        ]
    )
)
mt = mt.stack(
    vector(
        [
            60622164517940943037274386912282,
            82958508138755168576836012717468,
            70072118066826856564329627650828,
            16296740862142507745322242235326,
        ]
    )
)
print(mt.LLL()[0])

还原flag：

# 假设 Length 是 8
Length = 8

# 还原 flag
flag = b""
for noise in Noise[0]:
    flag += long_to_bytes(noise)

# 将字节字符串转换为 ASCII 字符串
flag = flag.decode("latin-1")  # 或者使用其他适当的编码

print(flag)  # 0xGame{04679c42-2bc1-42b2-b836-1b0ca542f36b}

理解这道题为什么用 LLL 可以直接得出答案需要理解两个点：

在 flag 信息较小的情况下，M 极大概率能用 LLL 还原出 flag。
M 和 C*M 表示的格是相同的，对 M 和 C*M 进行格基规约是等效的。

第一点，举一个简单的例子，对于二维的格基(10，7)和(21，114514)进行格基规约，一定会保留(10，7)，但(21，114514)一定会被约简。这道题也是，数量级小的 flag 信息和数量级大的 noise 同时格基规约，flag 信息极大概率会保留，除非两个数量级大的 noise 相减能得到比 flag 更小的格基但这几乎是不可能。

第二点，这个性质与三角、正交矩阵没关系，而是因为 C 行列式等于 1，像这样行列式等于 1 或-1 的矩阵叫单模矩阵。C*M 相当于一个对 M 的线性变换，这样的格基构成的格一定在 M 构成的格中。而格的行列式是个定量，对于同一个格的格基行列式总是相等的，由于 C*M 行列式没有变化，显然格也是不变的。

LLL-II

先推公式：

\begin{align} C_{i} = aC_{i-1}+b \mod m \\ km - aC_{i-1}+C_{i} = b \mod m \\ \end{align}

构造矩阵：

\begin{bmatrix} k_1 & k_2 & k_3 & k_4 & -a & 1 \\ \end{bmatrix} \begin{bmatrix} m & 0 & 0 & 0 & 0 & 0 \\ 0 & m & 0 & 0 & 0 & 0 \\ 0 & 0 & m & 0 & 0 & 0 \\ 0 & 0 & 0 & m & 0 & 0 \\ C_0 & C_1 & C_2 & C_3 & -K/m & 0 \\ C_1 & C_2 & C_3 & C_4 & 0 & K \\ \end{bmatrix}= \begin{bmatrix} b_1 & b_2 & b_3 & b_4 & aK/m & K \\ \end{bmatrix}

对第二个矩阵进行LLL即可

Cs = [ 11804527453299586684489593808016317337345238230165321056832279785591503368758306671170625597063579251464905729051049524014502008954170088604924368057540940, 4930922884306486570759661288602557428608315558804950537470100263019228888817481617065454705843164809506859574053884206133344549895853064735361336486560981, 5380263856446165449531647111260010594620416730932539097782399557603420658350407080366132490174060420530708293564252852668431923560882648691392446521188465, 10746696290782998433216934286282230556131938525513632178308443345441147075710552571129957873399395862207656161609046567289600084193860244770966610161184627, 2195032957511830992558961021566904850278796737316238566513837995297394215638259916944087623923636789312134734949452839561765171446217520081402769962517110
]
m = 12813864523019740432913161815051292412705285817864701047922722497269479288096574264414061282833203433542813637861620032851255308640850882149603687035724753

# A = Matrix([k1, k2, k3, k4, -a, 1])
# B = Matrix([b1, b2, b3, b4, a*K/m, K])
K = 2**128
M = Matrix([[m, 0, 0, 0, 0, 0],
            [0, m, 0, 0, 0, 0],
            [0, 0, m, 0, 0, 0],
            [0, 0, 0, m, 0, 0],
            [Cs[0], Cs[1], Cs[2], Cs[3], -K/m, 0],
            [Cs[1], Cs[2], Cs[3], Cs[4], 0, K]])
L = M.LLL()
print(L[1,-2] / K * m % m)

from Crypto.Util.number import getPrime, inverse
from hashlib import md5


def MD5(m):
    return md5(str(m).encode()).hexdigest()


m = 12813864523019740432913161815051292412705285817864701047922722497269479288096574264414061282833203433542813637861620032851255308640850882149603687035724753
cur = 11804527453299586684489593808016317337345238230165321056832279785591503368758306671170625597063579251464905729051049524014502008954170088604924368057540940
a = 88228655655643892993781402176287725906648157132284850532547692363725282117565848131827912110567885672978666024219540979856
a = 105335058376849464581926358411480063090049833236632732289586293246093519574939
print(a.bit_length())  # 256
seed = (cur * inverse(a, m)) % m
print(seed.bit_length())  # 510
print("0xGame{" + MD5(seed) + "}")  # 0xGame{2db84757dd4197f9b9441be25f35bfd5}

LLL-III

多元Coppersmith解法

import itertools
def small_roots(f, bounds, m=1, d=None):
    if not d:
        d = f.degree()
    R = f.base_ring()
    N = R.cardinality()
    f /= f.coefficients().pop(0)
    f = f.change_ring(ZZ)
    G = Sequence([], f.parent())
    for i in range(m+1):
        base = N^(m-i) * f^i
        for shifts in itertools.product(range(d), repeat=f.nvariables()):
            g = base * prod(map(power, f.variables(), shifts))
            G.append(g)
    B, monomials = G.coefficient_matrix()
    monomials = vector(monomials)
    factors = [monomial(*bounds) for monomial in monomials]
    for i, factor in enumerate(factors):
        B.rescale_col(i, factor)
    B = B.dense_matrix().LLL()
    B = B.change_ring(QQ)
    for i, factor in enumerate(factors):
        B.rescale_col(i, 1/factor)
    H = Sequence([], f.parent().change_ring(QQ))
    for h in filter(None, B*monomials):
        H.append(h)
        I = H.ideal()
        if I.dimension() == -1:
            H.pop()
        elif I.dimension() == 0:
            roots = []
            for root in I.variety(ring=ZZ):
                root = tuple(R(root[var]) for var in f.variables())
                roots.append(root)
            return roots
    return []

# sage

n = 181261975027495237253637490821967974838107429001673555664278471721008386281743
a = 80470362380817459255864867107210711412685230469402969278321951982944620399953
b = 108319759370236783814626433000766721111334570586873607708322790512240104190351
output = [
    2466192191260213775762623965067957944241015,
    1889892785439654571742121335995798632991977,
    1996504406563642240453971359031130059982231,
    1368301121255830077201589128570528735229741,
    3999315855035985269059282518365581428161659,
    3490328920889554119780944952082309497051942,
    2702734706305439681672702336041879391921064,
    2326204581109089646336478471073693577206507,
    3428994964289708222751294105726231092393919,
    1323508022833004639996954642684521266184999,
    2208533770063829989401955757064784165178629,
    1477750588164311737782430929424416735436445,
    973459098712495505430270020597437829126313,
    1849038140302190287389664531813595944725351,
    1172797063262026799163573955315738964605214,
    1754102136634863587048191504998276360927339,
    113488301052880487370840486361933702579704,
    2862768938858887304461616362462448055940670,
    3625957906056311712594439963134739423933712,
    3922085695888226389856345959634471608310638,
]

# 
PR.<x,y> = PolynomialRing(Zmod(n))
f = ((output[0]<<115)+ x) * a + b - ((output[1]<<115) + y)
roots = small_roots(f,(2^115, 2^115), m=4, d=4)
s1 = (output[0]<<115) + roots[0][0]
m = (s1 - b) * inverse_mod(a, n) % n
print(m)  # 101639613050544872292192629515273562035022699788445344858455157668840828973361


from hashlib import md5


def MD5(m):
    return md5(str(m).encode()).hexdigest()


seed = 101639613050544872292192629515273562035022699788445344858455157668840828973361
print("0xGame{" + MD5(seed) + "}")  # 0xGame{459049e068d93f6d70f1ea0da705264a}

这题当时用的多元 coppersmith 做的：多元 copper 脚本，h+p=a*seed+b，求解 p, seed 正好只有一组解。

构造格的过程如下，p 的数量级是 2^115^，这里的 K 应该设为 2^115^适宜。

Reverse

BabyASM

先化简原文

data = [20, 92, 43, 69, 81, 73, 95, 23, 72, 22, 24, 69, 25, 27, 22, 17, 23, 29, 24, 73, 17, 24, 85, 27, 112, 76, 15, 92, 24, 1, 73, 84, 13, 81, 12, 0, 84, 73, 82, 8, 82, 81, 76, 125]

def printFLAG():
	printf("%s\n", data)

main:
	index = 0
	goto	L3
L4:
	eax = data[index]
	eax += 28
	data[index] = eax
	index += 1

L3:
	if index<= 21 goto L4

L5:
	edx = data[index]
	eax = data[index-22]
	edx ^= eax
	data[index-22] = edx
	add	index, 1
	if index <= 42 goto	L5
	printFLAG

转为python代码就是：

data = [20, 92, 43, 69, 81, 73, 95, 23, 72, 22, 24, 69, 25, 27, 22, 17, 23, 29, 24, 73, 17, 24, 85, 27, 112, 76, 15, 92, 24, 1, 73, 84, 13, 81, 12, 0, 84, 73, 82, 8, 82, 81, 76, 125]


def printf(format, *args):
    print(format % args)  # 简化的printf实现，实际printf更复杂


def printFLAG(flag_bytes):
    printf("%s", bytes(flag_bytes))


def main():
    # 第一个循环：将每个字节增加28
    for i in range(22):
        data[i] += 28

    printFLAG(data)  # 打印处理后的data数组

    # 第二个循环：对data数组进行异或操作
    for i in range(22, 43):
        data[i] ^= data[i - 22]

    printFLAG(data)  # 打印处理后的data数组
    # 0xGame{3d24a572-394e-aec7-b9c2-f9097fda1f4L}


if __name__ == "__main__":
    main()

LittlePuzzle

在线反编译jar，转python

def exit():
    print("解谜失败")
    exit(1)


def check(board, x, y):
    t = board[x][y]
    x_ = x - x % 3
    y_ = y - y % 3

    for i in range(9):
        if i != x and i != y and (t == board[x][i] or t == board[i][y]):
            return False

    for i in range(3):
        for j in range(3):
            if x_ + i != x and y_ + j != y and t == board[x_ + i][y_ + j]:
                return False

    return True


def flag(answer):
    s = []

    for i in range(0, len(answer), 6):
        var3 = int(answer[i : i + 6])
        s.append(hex(var3)[2:])

    return "".join(s)


def main():
    board = [
        [5, 7, 0, 9, 4, 0, 8, 0, 0],
        [0, 0, 8, 0, 3, 0, 0, 0, 5],
        [0, 1, 0, 2, 0, 0, 0, 3, 7],
        [0, 0, 9, 7, 2, 0, 0, 0, 0],
        [7, 3, 4, 0, 0, 8, 0, 0, 0],
        [0, 0, 0, 0, 0, 0, 7, 5, 1],
        [3, 0, 0, 0, 1, 4, 2, 0, 0],
        [0, 6, 0, 0, 0, 2, 0, 4, 0],
        [0, 2, 7, 0, 0, 9, 5, 0, 0],
    ]

    # board = [
    #    [5, 7, 3| 9, 4, 1| 8, 6, 2],
    #           0        0     0  0
    #    [2, 4, 8| 6, 3, 7| 1, 9, 5],
    #     0  0     0     0  0  0
    #    [9, 1, 6| 2, 8, 5| 4, 3, 7],
    #     0     0     0  0  0
    #    [1, 5, 9| 7, 2, 6| 3, 8, 4],
    #     0  0           0  0  0  0
    #    [7, 3, 4| 1, 5, 8| 6, 2, 9],
    #              0  0     0  0  0
    #    [6, 8, 2| 4, 9, 3| 7, 5, 1],
    #     0  0  0  0  0  0
    #    [3, 9, 5| 8, 1, 4| 2, 7, 6],
    #        0  0  0           0  0
    #    [8, 6, 1| 5, 7, 2| 9, 4, 3],
    #     0     0  0  0     0     0
    #    [4, 2, 7| 3, 6, 9| 5, 1, 8]
    #     0        0  0        0  0
    #     3162 246719 96854 156384 15629 682493 95876 815793 43618
    #     4+6+5+6+5+6+5+6+5= 48
    # ]

    print("请输入你的解谜结果:")
    answer = "316224671996854156384156296824939587681579343618"
    if len(answer) != 48:
        exit()

    var3 = 0

    for i in range(9):
        for j in range(9):
            if board[i][j] == 0:
                var6 = int(answer[var3])
                if 1 <= var6 <= 9:  # ASCII调整，'0'字符的ASCII码是48，所以需要减去48
                    board[i][j] = var6
                    var3 += 1
                else:
                    exit()

    for i in range(9):
        for j in range(9):
            if not check(board, i, j):
                exit()

    print(f"0xGame{{{flag(answer)}}}")  # 0xGame{4d340a40fcd088c5dc9c48778e5643a666b53e42}


if __name__ == "__main__":
    main()

    # board = [
    #     [5, 7, 3, 9, 4, 1, 8, 6, 2],
    #     [2, 4, 8, 6, 3, 7, 1, 9, 5],
    #     [9, 1, 6, 2, 8, 5, 4, 3, 7],
    #     [1, 5, 9, 7, 2, 6, 3, 8, 4],
    #     [7, 3, 4, 1, 5, 8, 6, 2, 9],
    #     [6, 8, 2, 4, 9, 3, 7, 5, 1],
    #     [3, 9, 5, 8, 1, 4, 2, 7, 6],
    #     [8, 6, 1, 5, 7, 2, 9, 4, 3],
    #     [4, 2, 7, 3, 6, 9, 5, 1, 8],
    # ]
    # for i in range(9):
    #     for j in range(9):
    #         if not check(board, i, j):
    #             print("解谜失败")

只要把数独给解了，把填入的数组合在一起运行一下就出来了

import java.util.Scanner;

public class Puzzle {
   static int[][] board = new int[][] {
         { 5, 7, 0, 9, 4, 0, 8, 0, 0 },
         { 0, 0, 8, 0, 3, 0, 0, 0, 5 },
         { 0, 1, 0, 2, 0, 0, 0, 3, 7 },
         { 0, 0, 9, 7, 2, 0, 0, 0, 0 },
         { 7, 3, 4, 0, 0, 8, 0, 0, 0 },
         { 0, 0, 0, 0, 0, 0, 7, 5, 1 },
         { 3, 0, 0, 0, 1, 4, 2, 0, 0 },
         { 0, 6, 0, 0, 0, 2, 0, 4, 0 },
         { 0, 2, 7, 0, 0, 9, 5, 0, 0 } };

   public static void exit() {
      System.out.println("解谜失败");
      System.exit(1);
   }

   public static boolean check(int x, int y) {
      int t = board[x][y];
      int x_ = x - x % 3;
      int y_ = y - y % 3;

      int i;
      for (i = 0; i < 9; ++i) {
         if (i != x && i != y && (t == board[x][i] || t == board[i][y])) {
            return false;
         }
      }

      for (i = 0; i < 3; ++i) {
         for (int var6 = 0; var6 < 3; ++var6) {
            if (x_ + i != x && y_ + var6 != y && t == board[x_ + i][y_ + var6]) {
               return false;
            }
         }
      }

      return true;
   }

   static String flag(String answer) {
      StringBuilder s = new StringBuilder();

      for (int i = 0; i < answer.length(); i += 6) {
         int var3 = Integer.parseInt(answer.substring(i, i + 6));
         s.append(Integer.toHexString(var3));
      }

      return s.toString();
   }

   public static void main(String[] var0) {
      // System.out.println("请输入你的解谜结果:");
      // Scanner scanner = new Scanner(System.in);
      // String answer = scanner.nextLine();
      // scanner.close();
      String answer = "316224671996854156384156296824939587681579343618";
      if (answer.length() != 48) {
         exit();
      }

      int var3 = 0;

      int i;
      int j;
      for (i = 0; i < 9; ++i) {
         for (j = 0; j < 9; ++j) {
            if (board[i][j] == 0) {
               int var6 = answer.charAt(var3) - 48;
               if (var6 > 0 && var6 <= 9) {
                  board[i][j] = var6;
                  ++var3;
               } else {
                  exit();
               }
            }
         }
      }

      for (i = 0; i < 9; ++i) {
         for (j = 0; j < 9; ++j) {
            if (!check(i, j)) {
               exit();
            }
         }
      }

      System.out.println(String.format("0xGame{%s}", flag(answer)));
   }
}

Tea

由于C和python的位运算符不太一样，而且程序本来就是C写的，脚本就用C了

tea的解密只要把程序倒过来抄一遍就可以了

#include <stdio.h>
#include <stdint.h>

void preProcess(char *a1, int len)
{
    char *i = &a1[len - 1];
    char v5;

    while (1)
    {
        if (a1 >= i)
            break;
        v5 = *a1;
        *a1 = *i;
        *i = v5;
        ++a1;
        --i;
    }
}

void tea_dec(uint32_t *data, uint32_t *k)
{
    uint32_t v3 = data[0];
    uint32_t v4 = data[1];
    int v5 = -1640531527 * 32;
    for (int i = 0; i < 32; ++i)
    {
        v4 -= (v3 + v5) ^ ((v3 >> 5) + k[3]) ^ (k[2] + 16 * v3);
        v3 -= (v4 + v5) ^ ((v4 >> 5) + k[1]) ^ (*k + 16 * v4);
        v5 += 1640531527;
    }
    data[0] = v3;
    data[1] = v4;
}

int main()
{
    char data[] = {
        0xC9, 0xB6, 0x5C, 0xCE, 0xF8, 0xEE, 0x8E, 0xA2, 0x33, 0x36,
        0x34, 0x63, 0x37, 0x32, 0x36, 0x64, 0x38, 0x37, 0x65, 0x33,
        0x62, 0x33, 0x63, 0x64, 0x36, 0x39, 0x64, 0x34, 0x64, 0x30,
        0x62, 0x38, 0x2A, 0x7A, 0x7C, 0x3B, 0x85, 0x33, 0x6D, 0xD3};

    char k[] = {
        0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
        0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00};

    preProcess(&data, 40);
    for (int i = 0; i < 5; i++)
    {
        tea_dec((uint32_t *)(__int64)&data[32 * i], (uint32_t *)(__int64)&k);
    }
    printf("%s\n", data);  // 0xGame{e8b0d4d96dc3b3e78d627c463c9953a1}

    return 0;
}

The Matrix

这道题最开始叫Mad Matrix

这道题读程比较麻烦，hello就是给矩阵赋值的，前几位保存行数列数，代码中只用到了3阶矩阵

matmul就是矩阵的乘法

加密过程就是用输入做出7个矩阵，其中存在数据的复用。然后再轮流左乘k对应的4个矩阵，与data对比。

#include <stdio.h>
#include <stdint.h>
#include <string.h>
#include <stdlib.h>

// hello: 复制a1到a2
// a1: 矩阵数值 4*9
// a2：4+4+4*9=44, 行+列+数据
unsigned __int8 *hello(__int64 a1, unsigned __int8 *a2)
{
    for (int i = 0; i < 9; ++i)
    {
        *(uint32_t *)(*((uint64_t *)a2 + 1) + 4 * i) = *(uint32_t *)(a1 + 4 * i);
    }
    return a2;
}

// 生成矩阵input->memory
// memory: 存储
// input: 输入的44位字符串
void Morpheus(__int64 memory, __int64 input)
{
    __int64 v5;        // [rsp+0h] [rbp-80h]
    __int32 v6[64];    // 4 * 64
    unsigned char *v7; // [rsp+120h] [rbp+A0h]
    int j;             // [rsp+128h] [rbp+A8h]
    int i;             // [rsp+12Ch] [rbp+ACh]

    memset(&v5 + 4, 0, 0x100u); // 初始化v5

    // 将input的内容复制到v6
    // 44*1->44*4=176 用0填充
    for (i = 0; *(unsigned char *)(input + i); ++i)
        v6[i] = *(char *)(input + i);

    for (j = 0; j < 7; ++j)
    {
        // 清空v7
        v7 = malloc(0x10u);
        *v7 = 3;
        v7[1] = 3;
        *((int64_t *)v7 + 1) = malloc(0x24u);

        // 44*4 -> 7* 4*6
        if (&v6[6 * j])
            // v7 = 4+4+ 36 = 32
            //
            hello((__int64)&v6[6 * j], v7);
        // memery = 7* 8*8= 448
        *(int64_t *)(memory + 8 * j) = v7;
    }
}
// 计算行列式值
__int64 Neo(unsigned __int8 *a1)
{
    FILE *v1;          // rax
    __int64 result;    // rax
    FILE *v3;          // rax
    int v4;            // ebx
    void *Memory;      // [rsp+28h] [rbp-58h]
    uint32_t *v6;      // [rsp+30h] [rbp-50h]
    unsigned __int8 y; // [rsp+38h] [rbp-48h]
    unsigned __int8 x; // [rsp+39h] [rbp-47h]
    unsigned __int8 i; // [rsp+3Ah] [rbp-46h]
    char v10;          // [rsp+3Bh] [rbp-45h]
    unsigned int v11;  // [rsp+3Ch] [rbp-44h]
    char *v12;         // [rsp+60h] [rbp-20h]

    v12 = (char *)a1;
    x = a1[0];
    y = a1[1];

    if (x != y)
    {
        v1 = (FILE *)__acrt_iob_func(2);
        fwrite("ERROR:Det Matrix input is not sqare matrix!", 1u, 0x2Bu, v1);
        return 0;
    }

    v6 = (uint32_t *)*((uint64_t *)a1 + 1);
    // 行列式阶数
    switch (x)
    {
    case 0:
        v3 = (FILE *)__acrt_iob_func(2);
        fwrite("ERROR:Det Matrix input is zero!", 1u, 0x1Fu, v3);
        return 0;
    case 1:

        return **((unsigned int **)a1 + 1);

    case 2:
        return (unsigned int)(v6[3] * *v6 - v6[1] * v6[2]);

    default:
        v11 = 0;
        v10 = 1;
        Memory = malloc(0x10u);
        *(unsigned char *)Memory = x - 1;
        *((unsigned char *)Memory + 1) = y - 1;
        *((uint64_t *)Memory + 1) = malloc(4 * (x - 1) * (__int64)(y - 1));
        for (i = 0; i < x; ++i)
        {
            leftMatrix(0, i, v12, Memory);
            v4 = v6[i] * v10;
            v11 += v4 * (unsigned __int64)Neo(Memory);
            v10 = -v10;
        }
        free(*((void **)Memory + 1));
        free(Memory);
        return v11;
    }
}
// 乘法 a1*a2->a3
__int64 guess(unsigned __int8 *a1, __int64 a2, __int64 a3)
{
    unsigned __int8 v4; // [rsp+Eh] [rbp-12h]
    unsigned __int8 v5; // [rsp+Fh] [rbp-11h]
    unsigned __int8 v6; // [rsp+10h] [rbp-10h]
    unsigned __int8 k;  // [rsp+11h] [rbp-Fh]
    unsigned __int8 j;  // [rsp+12h] [rbp-Eh]
    unsigned __int8 i;  // [rsp+13h] [rbp-Dh]
    int v10;            // [rsp+14h] [rbp-Ch]
    int v11;            // [rsp+18h] [rbp-8h]
    int v12;            // [rsp+1Ch] [rbp-4h]

    // a3 有前缀
    if (!a3)
        return 0;
    if ((unsigned __int8 *)a3 == a1 || a3 == a2)
        return 0;
    // a1行数=a2列数
    if (a1[1] != *(unsigned char *)a2)
        return 0;
    v12 = 0;
    v11 = 0;
    v6 = *a1;
    v5 = a1[1];
    v4 = *(unsigned char *)(a2 + 1);
    // 穷举所有可能的乘法
    for (i = 0; i < a1[0]; ++i)
    {
        for (j = 0; j < v4; ++j)
        {
            //a3[v12] = a1[i] * a2[j]
            *(uint32_t *)(*(uint64_t *)(a3 + 8) + 4 * v12) = 0;
            v10 = 0;
            for (k = 0; k < v5; ++k)
            {
                *(uint32_t *)(*(uint64_t *)(a3 + 8) + 4 * v12) +=
                    *(uint32_t *)(*(uint64_t *)(a2 + 8) + 4 * (v10 + j)) *
                    *(uint32_t *)(*((uint64_t *)a1 + 1) + 4 * (v11 + k));
                v10 += v4;
            }
            ++v12;
        }
        v11 += v5;
    }
    return a3;
}
// 比较矩阵
int byebye(unsigned __int8 *a1, const void *a2)
{
    int result; // eax

    if (*a1 * a1[1] == 9)
        result = memcmp(*((const void **)a1 + 1), a2, 36);
    else
        result = -1;
    return result;
}

int __cdecl main(int argc, const char **argv, const char **envp)
{
    char v4;  // [rsp+20h] [rbp-60h]
    char v5;  // [rsp+50h] [rbp-30h]
    char v6;  // [rsp+51h] [rbp-2Fh]
    char *v7; // [rsp+58h] [rbp-28h]

    char v8;   // [rsp+60h] [rbp-20h]
    char v9;   // [rsp+90h] [rbp+10h]
    char v10;  // [rsp+91h] [rbp+11h]
    char *v11; // [rsp+98h] [rbp+18h]

    char v12;  // [rsp+A0h] [rbp+20h]
    char v13;  // [rsp+D0h] [rbp+50h]
    char v14;  // [rsp+D1h] [rbp+51h]
    char *v15; // [rsp+D8h] [rbp+58h]

    char v16;  // [rsp+E0h] [rbp+60h]
    char v17;  // [rsp+110h] [rbp+90h]
    char v18;  // [rsp+111h] [rbp+91h]
    char *v19; // [rsp+118h] [rbp+98h]

    char *v20; // [rsp+120h] [rbp+A0h]
    char *v21; // [rsp+128h] [rbp+A8h]
    char *v22; // [rsp+130h] [rbp+B0h]
    char *v23; // [rsp+138h] [rbp+B8h]

    char Str;            // [rsp+2C0h] [rbp+240h]
    unsigned char *v28;  // [rsp+300h] [rbp+280h]
    unsigned int lenStr; // [rsp+308h] [rbp+288h]
    int j;               // [rsp+310h] [rbp+290h]
    int k;               // [rsp+314h] [rbp+294h]
    int i;               // [rsp+318h] [rbp+298h]
    int v33;             // [rsp+31Ch] [rbp+29Ch]

    printf("Welcome to the test of Mad Matrix.\nNow you are allowed to input flag:");
    memset(&Str, 0, 0x240u);
    scanf("%64s", &Str);
    lenStr = strlen(&Str);

    // KeyMatrix_Array 1000 3000 1000 0000 2000 1000 1000 2000 0000
    // unk_404044      1000 2000 2000 3000 5000 6000 0000 2000 1000
    // unk_404068      0000 4000 3000 1000 2000 1000 2000 3000 1000
    // unk_40408C      1000 2000 3000 3000 5000 6000 1000 4000 A000
    // unk_4040C0     E8100C0100 2000 3000 4000 5000 2000 3000 4000
    char *unk_404044 = {1, 0, 0, 0, 2, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 5, 0, 0, 0, 6, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0, 1, 0, 0, 0};
    char *unk_40408C = {1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 3, 0, 0, 0, 5, 0, 0, 0, 6, 0, 0, 0, 1, 0, 0, 0, 4, 0, 0, 0, 0xA, 0, 0, 0};
    char *KeyMatrix_Array = {1, 0, 0, 0, 3, 0, 0, 0, 1, 0, 0, 0, 0, 0, 0, 0, 2, 0, 0, 0, 1, 0, 0, 0, 1, 0, 0, 0, 2, 0, 0, 0, 0, 0, 0, 0};
    char *unk_404068 = {0, 0, 0, 0, 4, 0, 0, 0, 3, 0, 0, 0, 1, 0, 0, 0, 2, 0, 0, 0, 1, 0, 0, 0, 2, 0, 0, 0, 3, 0, 0, 0, 1, 0, 0, 0};

    unsigned char unk_4040C0[] = {
        0xE8, 0x1, 0x0, 0x0, 0xC0, 0x1, 0x0, 0x0,
        0x81, 0x1, 0x0, 0x0, 0x57, 0x5, 0x0, 0x0,
        0xD3, 0x4, 0x0, 0x0, 0x1E, 0x4, 0x0, 0x0,
        0x3D, 0x1, 0x0, 0x0, 0x11, 0x1, 0x0, 0x0,
        0x2, 0x1, 0x0, 0x0, 0x6C, 0x2, 0x0, 0x0,
        0x40, 0x1, 0x0, 0x0, 0x45, 0x1, 0x0, 0x0,
        0xB7, 0x5, 0x0, 0x0, 0xEC, 0x2, 0x0, 0x0,
        0xF3, 0x2, 0x0, 0x0, 0xE9, 0x5, 0x0, 0x0,
        0x1D, 0x3, 0x0, 0x0, 0x36, 0x3, 0x0, 0x0,
        0x4D, 0x1, 0x0, 0x0, 0x0A, 0x1, 0x0, 0x0,
        0x92, 0x1, 0x0, 0x0, 0xD, 0x0, 0x0, 0x0,
        0x9F, 0x0, 0x0, 0x0, 0xF5, 0x0, 0x0, 0x0,
        0xBD, 0x0, 0x0, 0x0, 0xA1, 0x0, 0x0, 0x0,
        0x1, 0x1, 0x0, 0x0, 0x62, 0x1, 0x0, 0x0,
        0x47, 0x1, 0x0, 0x0, 0x23, 0x2, 0x0, 0x0,
        0xFB, 0x0, 0x0, 0x0, 0xC0, 0x0, 0x0, 0x0,
        0x26, 0x1, 0x0, 0x0, 0x91, 0x1, 0x0, 0x0,
        0x23, 0x1, 0x0, 0x0, 0xB7, 0x1, 0x0, 0x0,
        0xF0, 0x0, 0x0, 0x0, 0xFD, 0x0, 0x0, 0x0,
        0x0D, 0x1, 0x0, 0x0, 0x9E, 0x2, 0x0, 0x0,
        0xC0, 0x2, 0x0, 0x0, 0xF1, 0x2, 0x0, 0x0,
        0x91, 0x0, 0x0, 0x0, 0x9F, 0x0, 0x0, 0x0,
        0xA4, 0x0, 0x0, 0x0, 0x29, 0x2, 0x0, 0x0,
        0x3B, 0x1, 0x0, 0x0, 0x2E, 0x1, 0x0, 0x0,
        0xE4, 0x4, 0x0, 0x0, 0xD8, 0x2, 0x0, 0x0,
        0xC7, 0x2, 0x0, 0x0, 0xBD, 0x5, 0x0, 0x0,
        0x25, 0x3, 0x0, 0x0, 0xE4, 0x2, 0x0, 0x0,
        0xC7, 0x1, 0x0, 0x0, 0x51, 0x1, 0x0, 0x0,
        0xD5, 0x0, 0x0, 0x0, 0xFE, 0x0, 0x0, 0x0,
        0xE5, 0x0, 0x0, 0x0, 0x6E, 0x0, 0x0, 0x0,
        0x2C, 0x1, 0x0, 0x0, 0xA0, 0x0, 0x0, 0x0,
        0x9E, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0};

    v20 = 0;
    v13 = 3;
    v14 = 3;
    v15 = &v12;
    hello((__int64)&unk_404044, (unsigned __int8 *)&v13); // 9
    v20 = &v13;

    v21 = 0;
    v5 = 3;
    v6 = 3;
    v7 = &v4;
    hello((__int64)&unk_40408C, (unsigned __int8 *)&v5); // 9
    v21 = &v5;

    v22 = 0;
    v17 = 3;
    v18 = 3;
    v19 = &v16;
    hello((__int64)&KeyMatrix_Array, (unsigned __int8 *)&v17); // 9
    v22 = &v17;

    v23 = 0;
    v9 = 3;
    v10 = 3;
    v11 = &v8;
    hello((__int64)&unk_404068, (unsigned __int8 *)&v9); // 9
    v23 = &v9;

    // v29

    void *v24[8]; // 中间变量矩阵

    // 初始化v24，加前缀
    memset(v24, 0, sizeof(v24));
    for (i = 0; i < 7; ++i)
    {
        v28 = malloc(0x10u);
        *v28 = 3;
        v28[1] = 3;
        *((uint64_t *)v28 + 1) = malloc(0x24u);
        v24[i] = v28;
    }

    void *Memory[8];        // 指向44位flag生成的7个矩阵，有前缀
    Morpheus(Memory, &Str); // str长度44

    // Dst: 操作结果7个矩阵
    // Memory: 指向44位flag生成的7个矩阵
    // v20: 辅助的4个矩阵
    // v24: 中间变量矩阵7个矩阵

    // 7矩阵格式：36Byte一个矩阵，252Byte,无前缀

    char Dst[256];
    memcpy(Dst, &unk_4040C0, 0xFCu);

    for (int i = 0; i < 7; i++)
    {
        // 如果v20的行列式的值不为0, 则进行乘法运算, v24暂存中间结果
        if ((unsigned int)Neo((&v20)[i % 4]))
            guess((unsigned __int8 *)(&v20)[i % 4], (__int64)Memory[i], (__int64)v24[i]);

        if (byebye((unsigned __int8 *)v24[i], &Dst[36 * i]))
            printf("Wrong. Try again.\n");
        return 0;
    }

    printf("Correct! Your flag has passed the test.\n");
    return 0;
}

解密过程也很简单，data左乘k的逆矩阵就是flag。

# 3阶矩阵赋值
def hello(source: list) -> list:
    return [source[3 * i : 3 * i + 3] for i in range(3)]


# 矩阵乘法
def matmul(a: list[list], b: list[list]) -> list[list]:
    c = [[0, 0, 0], [0, 0, 0], [0, 0, 0]]
    for i in range(3):
        for j in range(3):
            for k in range(3):
                c[i][j] += a[i][k] * b[k][j]
    return c


dst = [488, 448, 385, 1367, 1235, 1054, 317, 273, 258, 620, 320, 325, 1463, 748, 755, 1513, 797, 822, 333, 266, 402, 189, 159, 245, 189, 161, 257, 354, 327, 547, 251, 192, 294, 401, 291, 439, 240, 253, 269, 670, 704, 753, 145, 159, 164, 553, 315, 302, 1252, 728, 711, 1469, 805, 740, 455, 337, 213, 254, 229, 110, 300, 160, 158, 0]

k_ = [
    [[7, -2, -2], [3, -1, 0], [-6, 2, 1]],
    [[-26, 8, 3], [24, -7, -3], [-7, 2, 1]],
    [[2, -2, -1], [-1, 1, 1], [2, -1, -2]],
    [[-1, 5, -2], [1, -6, 3], [-1, 8, -4]],
]


def main():

    for i in range(7):
        dst_ = hello(dst[9 * i : 9 * i + 9])
        memory_ = matmul(k_[i % 4], dst_)
        for j in range(3):
            for k in range(3):
                print(chr(memory_[j][k]), end="")
        print("\b\b\b", end="")


if __name__ == "__main__":
    main()
# 0xGame{78d51c59-6dc3-30d2-1276-18e13f80c478}

Justsoso | Review

由题，flag 用 key 加密经过 base64 编码等于 encryptedFLAG，那么只要知道 key 并逆向 ReversC4.encrypt 即可。

1	encryptedFLAG==b64encode(ReversC4.encrypt(flag, key))

getKey()在 native 层，IDA 分析 so 文件源码：

看上去挺复杂，其实就是把 source 二倍后异或 0x7F，这样就得到了 key

public static int[] getKey() {
    String source = "just_0xGame_so";
    int[] key = new int[14];
    for (int i = 0; i < source.length(); i++)
        key[i] = 2 * (int) source.charAt(i) ^ 0x7F;

    return key;
}

加密过程很好逆向，其中 inital、i、i2 只要随便编一个 44 位的 flag 放进 encrypt 里面跑一下，就能知道末状态的值，将他们作为初始值放进 decrypt 里面即可。

public static byte[] decrypt(byte[] bArr, int[] iArr) {
    int length = bArr.length;
    int[] initial = { 107, 11, 190, 182, 97, 252, 84, 71, 59, 218, 18, 68, 241, 141, 155, 240, 170, 78, 43, 175, 98, 87, 239, 53, 228, 81, 157, 44, 13, 26, 158, 179, 79, 210, 234, 251, 163, 249, 130, 120, 211, 219, 129, 186, 69, 225, 41, 91, 36, 15, 171, 123, 243, 140, 138, 32, 173, 166, 159, 253, 236, 200, 176, 152, 113, 57, 94, 208, 116, 144, 8, 119, 99, 23, 104, 181, 52, 196, 162, 49, 224, 213, 143, 5, 192, 46, 118, 75, 114, 136, 160, 178, 205, 149, 65, 29, 20, 102, 223, 148, 39, 115, 124, 127, 229, 255, 122, 50, 117, 83, 109, 216, 17, 88, 128, 106, 125, 60, 188, 61, 244, 95, 73, 66, 195, 82, 27, 28, 147, 62, 189, 154, 185, 112, 30, 235, 86, 9, 139, 153, 22, 24, 237, 14, 54, 203, 164, 48, 16, 204, 230, 232, 156, 3, 133, 214, 74, 161, 70, 220, 238, 47, 183, 10, 2, 180, 131, 169, 67, 58, 1, 250, 254, 6, 207, 199, 198, 42, 247, 33, 221, 110, 184, 34, 25, 31, 217, 168, 137, 222, 146, 72, 89, 193, 103, 92, 256, 4, 209, 45, 226, 194, 202, 37, 172, 77, 177, 90, 100, 80, 174, 12, 55, 19, 197, 245, 231, 40, 51, 93, 212, 151, 96, 227, 201, 121, 108, 126, 21, 63, 35, 165, 7, 145, 56, 111, 187, 38, 105, 150, 85, 242, 132, 134, 142, 64, 233, 206, 135, 246, 167, 101, 215, 191, 76, 248 };
    int i = 44;
    int i2 = 12;
    for (int i3 = length - 1; i3 >= 0; i3--) {
        int i4 = initial[i2];
        int i5 = initial[i];
        bArr[i3] = (byte) (bArr[i3] ^ ((byte) initial[(i4 + i5) % 256]));
        initial[i2] = i5;
        i2 = (i2 - i4 + 256) % 256;
        initial[i] = i4;
        i = (i + 255) % 256;
    }

    return bArr;
}

跑一下：

public static void main(String[] args) {
    String encryptedFLAG = "nB9RCjwReif5P1H1MYO6m/hucCGjI6EE9wWEx/E4N+bO5k5ior6MnqAGQfc=";
    String testFlag = "0xGame{111111111111111111111111111111111111}";
    int[] key = getKey();
    encrypt(testFlag.getBytes(), key);

    String FLAG = new String(decrypt(Base64.getDecoder().decode(encryptedFLAG), key));
    System.out.println(FLAG); // 0xGame{fd51ce4b-4556-4cf9-9430-67480614e43b}
}