TSCTF-J 2025 WriteUp - 曦の休息处

Cover image source: Source

Reverse#

Singin#

首先拖到IDA分析，发现入口函数 start中调用的函数只是错误处理相关逻辑遂运行程序，看到相关字串交叉引用后分析，推测相关逻辑：从Size可知flag长度应是31 继续看crypto(sub_7FF6DC0E1660) 稍作分析可以看到是异或加密，其中key是对"WelcomeToTSCTF"进行一些处理，如图继续查看sub_1400014EC得到一个类似Base64的东西，但是Base64表被处理动态调试，知Base表应是VkbKJo3PNcCSZQGXdUaLEwOet07jxAWmlsDqp9uf1Riy5F2nIB6rh4/+g8TzMYHv （此处省略截图）完整脚本如下：

1
#include <cstdio>
2
#include <cstring>
3
#include <iostream>
4
#include "reverse_signin.h"
5
#include <cstdint>
6

7
unsigned char *__fastcall base64_encode(uint64_t addr, uint64_t size);
8

9
int re_signin() {
10
    char Buf2[33] =
11
            "\x23\x7C\x34\x61\x32\x02\x13\x3D\x67\x12\x64\x0D\x37\x02\x34\x14\x03\x7A\x2B\x69\x24\x70\x34\x61\x32\x70\x6B\x76\x02\x42\x28";
12
    char secret[33];
13
    secret[32] = '\0';
14
    const char* prev = "WelcomeToTSCTF";
15
    unsigned char * base64ed = base64_encode((uint64_t)prev,14); //len = 20
16
    printf("%s\n", base64ed);
17
    for (int i = 0; i < 32; i++) {
18
        secret[i] = Buf2[i] ^ base64ed[i % 20];
19
        //printf("%lld\n",secret[i] & 0xff);
20
    }
21
    std::cout << secret << std::endl;
22
    return 0;
23
}
24

25
static const char base64_table[] =
26
    "VkbKJo3PNcCSZQGXdUaLEwOet07jxAWmlsDqp9uf1Riy5F2nIB6rh4/+g8TzMYHv";
27

28
unsigned char *__fastcall base64_encode(uint64_t addr, uint64_t size)
29
{
30
    uint64_t v3, v4, v5;
31
    unsigned char *v6;
32
    uint64_t i;
33
    uint64_t v8;
34
    int v9;
35
    int v10;
36

37
    v6 = (unsigned char *)malloc(4 * ((size + 2) / 3) + 1);
38
    if (!v6)
39
        return NULL;
40

41
    v10 = 0;
42
    v9 = -6;
43
    v8 = 0;
44

45
    for (i = 0; i < size; ++i)
46
    {
47
        v10 = (v10 << 8) + *((unsigned char *)addr + i);
48
        v9 += 8;
49
        while (v9 >= 0)
50
        {
51
            v3 = v8++;
52
            v6[v3] = base64_table[(v10 >> v9) & 0x3F];
53
            v9 -= 6;
54
        }
55
    }
56

57
    if (v9 >= -5) // 处理剩余比特
58
    {
59
        v4 = v8++;
60
        v6[v4] = base64_table[(v10 << 8 >> (v9 + 8)) & 0x3F];
61
    }
62

63
    while (v8 < 4 * ((size + 2) / 3))
64
    {
65
        v5 = v8++;
66
        v6[v5] = '=';
67
    }
68

69
    v6[v8] = 0;
70
    return v6;
71
}

运行可得flag为TSCTF-J{We1c@me_t0_TS_CTF_2025}

听绿的秘密#

首先查看hint.txt知，运行Tinglv.jar，并且把Cat.png作为参数传入，可以得到Where_is_my_cat.png 打开jadx-gui，发现这个jar解密并动态加载了一个Class 这里反过来，从Secret解密 Secret.class的脚本如下：（对于每个字节减7）

1
def decrypt_secret_obf(obf_file_path, decrypted_file_path):
2
    try:
3
        with open(obf_file_path, 'rb') as f_obf:
4
            obf_bytes = f_obf.read()
5

6
        decrypted_bytes = bytearray()
7
        for b in obf_bytes:
8
            decrypted_bytes.append((b - 7) & 0xFF)
9

10
        with open(decrypted_file_path, 'wb') as f_decrypted:
11
            f_decrypted.write(decrypted_bytes)
12

13
        print(f"'{obf_file_path}' decrypted to '{decrypted_file_path}' successfully.")
14
    except FileNotFoundError:
15
        print(f"Error: File not found at '{obf_file_path}'")
16
    except Exception as e:
17
        print(f"An error occurred: {e}")
18

19
if __name__ == "__main__":
20
    obf_file = "Secret.obf"
21
    decrypted_file = "Secret.class"
22

23
    decrypt_secret_obf(obf_file, decrypted_file)

继续查看Secret.class，有对Cat.png的加密逻辑解密脚本如下：

1
def decrypt():
2
    with open("Where_is_my_cat.png", "rb") as f:
3
        enc = bytearray(f.read())
4
    dec = bytearray(len(enc))
5
    i2 = 123
6
    for i3 in range(len(enc)):
7
        e = enc[i3] & 0xFF
8
        i5 = (i3 + i2) % 8
9
        i6 = ((e >> i5) | (e << (8 - i5))) & 0xFF
10
        dec[i3] = (i6 - (i3 % 251) - i2) & 0xFF
11
        i2 = (i2 + e + 37) & 0xFF
12
    with open("Decrypted_Cat.png", "wb") as f:
13
        f.write(dec)
14

15
if __name__ == "__main__":
16
    decrypt()

从Decrypted_Cat.png中读到flag为TSCTF-J{181_c3ntimeTer5?} （小声）（所以听绿的秘密是什么？

CryDancing#

I’m crying dancing
It’s really quite outstanding
It’s not my heart that’s breaking
It’s just the songs they’re playing

解压后找到CryDancing这个二进制文件，IDA打开查看函数列表，查资料得，形如+/-[abc]为ObjectiveC的函数推测flag相关逻辑位于LynsSecret中发现GetKey函数进行穷举得一个四位字符串的md5为固定的值674040176a34f6c994003fe85badfc48 脚本如下：

1
import hashlib
2
import itertools
3

4
target = "674040176a34f6c994003fe85badfc48"
5
charset = [chr(ord('A') + i) for i in range(26)]  # A..Z
6

7
for a,b,c,d in itertools.product(charset, repeat=4):
8
    s = a + b + c + d
9
    if hashlib.md5(s.encode()).hexdigest() == target:
10
        print("found:", s)
11
        break

发现NOTD满足，且NOTD参与歌曲CryDancing 继续查看YouCanSeeThisRight:函数，发现进行了某种AES解密，其中key是NOTD放置4次，需要Base64密文回到IDA，从字串列表可得Base64密文如图：解密脚本如下：

1
from Crypto.Cipher import AES
2
from Crypto.Util.Padding import unpad
3
import base64
4

5
B64 = "bvOaEEh1F5pDkMpM6n5src+Jym4ineiRvbWRIidoLHD1KGuRk8vyRsDpQ4XGYtNKnQDvFBEnG3DsCDGqJ8Xv8g=="
6
KEY = (b"NOTD" * 4)  # 16 bytes
7
IV = (375).to_bytes(4, 'little') + b'\x00'*12  # first 4 bytes = 375 little-endian, rest zeros
8

9
ct = base64.b64decode(B64)
10
cipher = AES.new(KEY, AES.MODE_CBC, IV)
11
pt = unpad(cipher.decrypt(ct), AES.block_size)
12
print(pt.decode('utf-8', errors='replace'))

得到flag为TSCTF-J{S0rry_th3_4nswer_h4s_n0thing_2_do_with_l7rics} （Cry Dancing好听捏

GirlHook#

jadx-gui从Java层看，只是简单的异或加密得到flag为TSCTF-J{how_to_hook_in_ART?} 发现不正确，还加载了一个so进行hook 阅读题干题如其名找到Lynnette177/GirlHook项目的地址拖到IDA进行分析，找到hook相关方法sub_A9B90对应源码中的initialize_globals 看到需要找出func_enter的Lua函数，如图：从what_is_this函数中看到Lua代码加密算法为ChaCha20 复制数据段的密文到二进制文件secret后，使用下面脚本解密：

1
from Crypto.Cipher import ChaCha20
2
key = b'youareclosetoit_youareclosetoit_'
3
nonce = b'continueabcd'
4
counter = 1
5
with open('secret', 'rb') as f:
6
    ciphertext = f.read()
7
cipher = ChaCha20.new(key=key, nonce=nonce)
8
cipher.seek(counter * 64)
9
plaintext = cipher.decrypt(ciphertext)
10
print(plaintext.decode('utf-8'))

得到Lua代码

1
local function xor_byte(a, b)
2
    local result = 0
3
    for i = 0, 7 do
4
        local x = a % 2
5
        local y = b % 2
6
        result = result + ((x ~ y) << i)
7
        a = math.floor(a / 2)
8
        b = math.floor(b / 2)
9
    end
10
    return result
11
end
12

13
function xor_encrypt(str, key)
14
    local result = {}
15
    for i = 1, #str do
16
        local c = string.byte(str, i)
17
        c = (c + 1) % 255
18
        local k = string.byte(key, (i - 1) % #key + 1)
19
        result[i] = string.char(xor_byte(c, k))
20
    end
21
    return table.concat(result)
22
end
23

24
-- base64 encode
25
local b='ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'
26
function base64_encode(data)
27
    return ((data:gsub('.', function(x)
28
        local r,bits='',string.byte(x)
29
        for i=8,1,-1 do r=r..(bits % 2^i - bits % 2^(i-1) > 0 and '1' or '0') end
30
        return r
31
    end)..'0000'):gsub('%d%d%d?%d?%d?%d?', function(x)
32
        if #x < 6 then return '' end
33
        local c=0
34
        for i=1,6 do c=c+(x:sub(i,i)=='1' and 2^(6-i) or 0) end
35
        return b:sub(c+1,c+1)
36
    end)..({ '', '==', '=' })[#data % 3 + 1])
37
end
38

39
function encrypt(plain, key)
40
    return base64_encode(xor_encrypt(plain, key))
41
end
42

43
function func_enter(args)
44
    local strobj = args[1]
45
    local str = getJavaStringContent(strobj)
46
    local encrypted = encrypt(str, "W0WY0U4R3S0G00D2F1NDTH3K3Y")
47
    local str = getJavaStringContent(strobj)
48
    local encrypted = encrypt(str, "W0WY0U4R3S0G00D2F1NDTH3K3Y")
49
    local str = getJavaStringContent(strobj)
50
    local str = getJavaStringContent(strobj)
51
    local encrypted = encrypt(str, "W0WY0U4R3S0G00D2F1NDTH3K3Y")
52
    local str = getJavaStringContent(strobj)
53
    local encrypted = encrypt(str, "W0WY0U4R3S0G00D2F1NDTH3K3Y")
54
    local str = getJavaStringContent(strobj)
55
    local str = getJavaStringContent(strobj)
56
    local str = getJavaStringContent(strobj)
57
    local str = getJavaStringContent(strobj)
58
    local str = getJavaStringContent(strobj)
59
    local str = getJavaStringContent(strobj)
60
    local str = getJavaStringContent(strobj)
61
    local str = getJavaStringContent(strobj)
62
    local encrypted = encrypt(str, "W0WY0U4R3S0G00D2F1NDTH3K3Y")
63
    local str = getJavaStringContent(strobj)
64
    local encrypted = encrypt(str, "W0WY0U4R3S0G00D2F1NDTH3K3Y")
65
    local e1 = createJavaString(strobj, encrypted)
66
    args[1] = e1
67
    return true, args, 0
68
end

发现是Base64与异或的加密，从dex里得到密文为解密脚本为:

1
import base64
2

3
KEY = b"W0WY0U4R3S0G00D2F1NDTH3K3Y"
4
CIPHERTEXT = "AmQTDHd7fy5CIAQyRUokVD1RJ3VlJFM4WTE+CBcn"
5

6
def decrypt(cipher_b64):
7
    data = base64.b64decode(cipher_b64)
8
    res = bytearray()
9
    for i, c in enumerate(data):
10
        x = c ^ KEY[i % len(KEY)]
11
        res.append((x - 1) % 255)
12
    return bytes(res)
13

14
print(decrypt(CIPHERTEXT).decode('utf-8', 'ignore'))

得到flag为TSCTF-J{pr3tty_ez_h00k_righ7?}

Crypto#

Cantor’s_gifts.py#

注意到是逆序数和字符排列相关问题反过来

1
from math import factorial
2

3
hint = 2498752981111460725490082182453813672840574
4
now_message = b'5__r0tfg5f_34rtm__t_0ury0hft0t3n11c_t'
5
n = len(now_message)
6

7
def cantor_unrank(x, n):
8
    elements = list(range(1, n+1))
9
    permutation = []
10
    for i in range(n-1, -1, -1):
11
        fact = factorial(i)
12
        idx = x // fact
13
        x %= fact
14
        permutation.append(elements.pop(idx))
15
    return permutation
16

17
reflection = cantor_unrank(hint, n)
18

19
message = [b'']*n
20
for i, pos in enumerate(reflection):
21
    message[pos-1] = now_message[i:i+1]
22

23
message_bytes = b''.join(message)
24
message_bytes.decode()
25
print(message_bytes)

使用TSCTF-J包裹即可得TSCTF-J{c4nt0r5_g1ft_f0r_th3_f1r5t_y0u_t0_m3t}

需要解决几次异或和一个Base64

1
import base64
2

3
KEY1_hex = 'a6c8b6733c9b22de7bc0253266a3867df55acde8635e19c73313c1819383df93'
4
KEY2_XOR_KEY3_hex = '11abed33a76d7be822ab718422844e1d40d72a96f02a288aa3b168165922138f'
5
FLAG_XOR_KEY1_XOR_KEY2_XOR_KEY3_hex = 'e1251504cdb300420a0520fc1c15b010d4bfb118c2477b78f3eafbe1acf0f121'
6
KEY1 = int(KEY1_hex, 16)
7
KEY2_XOR_KEY3 = int(KEY2_XOR_KEY3_hex, 16)
8
FLAG_XOR_KEY1_XOR_KEY2_XOR_KEY3 = int(FLAG_XOR_KEY1_XOR_KEY2_XOR_KEY3_hex, 16)
9
m = FLAG_XOR_KEY1_XOR_KEY2_XOR_KEY3 ^ KEY1 ^ KEY2_XOR_KEY3
10
m_hex = hex(m)[2:]
11
if len(m_hex) % 2 != 0:
12
    m_hex = '0' + m_hex
13
encoded_flag_bytes = bytes.fromhex(m_hex)
14
flag = base64.b64decode(encoded_flag_bytes)
15

16
print(f"Flag: {flag.decode('utf-8')}")

得到flag为TSCTF-J{I_like_Crypto}

p=~q#

关于RSA和翻位相关算法

1
import math
2
from Crypto.Util.number import long_to_bytes
3
n=17051407421191257766878232954687995776275810092183184400406052880776283989210979642731778073370935322411364098277851627904479300390445258684605069414401583042318910193017463817007183769745191345053634189302047446965986220310713141272104307300803560476507359063543147558286276881771260972717080160544078251002420560031692800880310702557545555020333582797788637377901506395695115351043959528307703535156759957098992921231240480724115372547821536358993064005667175508572424424498140029596238691489470392031290179060300593482514446687661068760457021164559923920591924277937814270216802997593891640228684835585559706493543
4
c=6853848340403815994585475502319517119889957571722212403728096345969080424626781659085329098693249503884838912886399198433606071464349852827030377680456139046436386063565577131001152891176064224036780277315958771309063181054101040906120879494157473100295607616604515810676954786850526056316144848921849017030095717895244910724234927693999607754055953250981051858498499963202512464388765761597435963200846457903991924487952495202449073962133164877330289865956477568456497103568127103331224273528931042804794039714404647322385366048042459109584024130199496106946124782839099804356052016687352504438568019898976023369460
5
e=65537
6
A=1<<1023
7
S=3*A
8
D=S*S-4*n
9
p=(S+math.isqrt(D))//2
10
q=(S-math.isqrt(D))//2
11
phi=(p-1)*(q-1)
12
d=pow(e,-1,phi)
13
print(long_to_bytes(pow(c,d,n)).decode())

野狐禅#

已知LCG输出可恢复r，再利用Paillier公式解出明文序列y解线性递推方程组得3进制coeffs并转回flag 跟challenge放在同个目录下运行

1
from fractions import Fraction
2
from Crypto.Util.number import long_to_bytes, inverse
3
from math import gcd
4
def parse_challenge(path="challenge.txt"):
5
    with open(path,"r") as f:
6
        lines=[l.strip() for l in f if l.strip()!=""]
7
    n=int(lines[0].split(":",1)[1].strip())
8
    g=int(lines[1].split(":",1)[1].strip())
9
    k=int(lines[2].split(":",1)[1].strip())
10
    eqs=int(lines[3].split(":",1)[1].strip())
11
    rest=[int(x) for x in lines[4:]]
12
    half=len(rest)//2
13
    return n,g,k,eqs,rest[:half],rest[half:]
14
def recover_y(n,ciphertexts,lcg_raws):
15
    n2=n*n
16
    y=[]
17
    for c_raw,raw in zip(ciphertexts,lcg_raws):
18
        c=c_raw % n2
19
        r=raw % n
20
        if r==0 or gcd(r,n)!=1:
21
            raise SystemExit(1)
22
        rn=pow(r,n,n2)
23
        inv_rn=inverse(rn,n2)
24
        t=(c*inv_rn) % n2
25
        if (t-1) % n != 0:
26
            raise SystemExit(1)
27
        m_val=(t-1)//n
28
        y.append(m_val)
29
    return y
30
def solve_coeffs(y,k):
31
    A=[[Fraction(0) for _ in range(k)] for __ in range(k)]
32
    b=[Fraction(0) for _ in range(k)]
33
    for i in range(k):
34
        for j in range(k):
35
            A[i][j]=Fraction(y[i+k-1-j])
36
        b[i]=Fraction(y[i+k])
37
    M=[row[:] + [bval] for row,bval in zip(A,b)]
38
    nrows=k
39
    ncols=k
40
    for col in range(ncols):
41
        pivot=None
42
        for r in range(col,nrows):
43
            if M[r][col]!=0:
44
                pivot=r
45
                break
46
        if pivot is None:
47
            raise SystemExit(1)
48
        if pivot!=col:
49
            M[col],M[pivot]=M[pivot],M[col]
50
        pv=M[col][col]
51
        M[col]=[val/pv for val in M[col]]
52
        for r in range(nrows):
53
            if r!=col:
54
                factor=M[r][col]
55
                if factor!=0:
56
                    M[r]=[M[r][c]-factor*M[col][c] for c in range(ncols+1)]
57
    coeffs=[int(M[i][ncols]) for i in range(ncols)]
58
    return coeffs
59
n,g,k,eqs,ciphertexts,lcg_raws=parse_challenge("challenge.txt")
60
y=recover_y(n,ciphertexts,lcg_raws)
61
coeffs=solve_coeffs(y,k)
62
val=0
63
pow3=1
64
for d in coeffs:
65
    val+=int(d)*pow3
66
    pow3*=3
67
flag_bytes=long_to_bytes(val)
68
print(flag_bytes.decode())

Misc#

卢森堡的秘密#

由于第一次碰PNG隐写，从Bing搜索知可以修改长宽、分离文件、以及各种图片和像素上藏flag的方法尝试调整高度，发现宽高并未被修改使用010Editor查看，发现PNG结构没有多出来的文件用在线工具查看，无元数据考虑颜色和像素方面藏flag的情况使用StegSolve-1.4.jar ExtractData，勾选三个0通道，拉到最上面，可见flag为TSCTF-J{ Th3_sEcr 65375f30665f4c24 42217d000cad61ac e7_0f_L$ B!} 由于不存在空格，所以flag应是TSCTF-J{Th3_sEcr65375f30665f4c2442217d000cad61ace7_0f_L$ B!}

Meow（未做完）#

注意到提示指出首个猫猫友好编程语言！基于 Word 的国产自研编程语言MeowLang 运行后可得如下内容：

1
vfndveyTsNSk
2
mv9bBq==
3
xZrFq2fu
4
x01LB3Dnztb3
5
iseHFq==

看上去像Base64但是对解密的尝试失败（）由于做的时候距离截止时间很近故没有进一步查找（）

EzFix（未做完）#

花了一点时间安装VMware Workstation 等待安装完成的过程里，先用DiskGenius浏览一下虚拟磁盘文件里面的内容根据修改时间可以发现，TSCTF用户下的Desktop文件夹有相关内容 useless.png和flag_part2.zip part2居然不是分包压缩！注意到加密的zip里面也有useless.png，询问GPT5知可以使用明文攻击解出其它文件遂Bing搜索相关内容，使用ARCHPR获得flag后半段

至于前半段，猜测可能是Windows系统用户的密码网络搜索得到解出明文密码的方法导出sam和system后干掉火绒，使用mimikatz.exe 得到NTML加密后的密码

AI#

Coup#

本题难点为注册获取API Key（bushi）游戏丢给Gemini 2.5 Pro，并指出需要简短的机械一些的提示词给大模型，使得大模型取胜，给出自己在Coup中的角色名字，要英文的较简短的提示词，可得下面的prompt：

1
You are achqing, an AI player in a 3-player Coup game.
2
Each player starts with 2 coins and 2 hidden influence cards.
3
Your goal: be the last player alive (the only one with unrevealed influence).
4

5
Follow these rules exactly, in order of priority:
6

7
---
8

9
### [GENERAL RULES]
10
1. Always keep track of your coins, known actions of others, and visible cards.
11
2. Never reveal your real roles unless forced by a challenge.
12
3. If you have 10 or more coins → immediately perform a COUP on the strongest opponent.
13
4. Always prefer actions that increase survival probability or coin advantage.
14

15
---
16

17
### [ACTION PRIORITY LOGIC]
18

19
If you have:
20
- **7 or more coins** → perform **COUP** on the opponent who has the most coins or strongest role claim.
21
- **3–6 coins**:
22
  - If you claim DUKE → use **TAX** (gain +3 coins).
23
  - Else if you claim CAPTAIN → use **STEAL** from the richest opponent.
24
  - Else if you claim ASSASSIN and have ≥3 coins → **ASSASSINATE** the most dangerous opponent.
25
  - Else → use **FOREIGN AID** (gain +2 coins unless blocked).
26
- **Less than 3 coins** → always use **INCOME** (+1 coin).
27

28
---
29

30
### [CHALLENGE LOGIC]
31

32
When another player claims a role:
33
1. Challenge if:
34
   - The claim contradicts their previous known claim, OR
35
   - The probability of bluff > 50% (e.g., they already acted as another role).
36
2. Do not challenge DUKE claims too early; observe patterns first.
37
3. Always challenge if an opponent uses the same claimed role twice in a row with inconsistent logic.
38
4. If you lose a challenge, continue playing logically (do not rage or randomize).
39

40
---
41

42
### [BLOCK LOGIC]
43
- Block **FOREIGN AID** if you claim DUKE.
44
- Block **STEAL** if you claim CAPTAIN or AMBASSADOR.
45
- Block **ASSASSINATION** if you claim CONTESSA.
46

47
---
48

49
### [TARGET SELECTION]
50
When you must attack (STEAL / ASSASSINATE / COUP):
51
1. Prefer the opponent with:
52
   - The highest coins, OR
53
   - The most credible role, OR
54
   - The one who last attacked you.
55
2. If tied, target randomly between them.
56

57
---
58

59
### [DECEPTION LOGIC]
60
- Start the game by claiming **DUKE** (common and powerful).
61
- If someone else also claims DUKE → switch your claim to **CAPTAIN** or **AMBASSADOR** next round.
62
- Change claimed role every 3–4 turns to avoid detection.
63
- If challenged and you lose → adjust your next claimed role immediately.
64
- If your bluff succeeds → repeat same role once to reinforce trust, then switch again.
65

66
---
67

68
### [ENDGAME BEHAVIOR]
69
When only 2 players remain:
70
1. Stop bluffing.
71
2. If you have ≥7 coins → COUP immediately.
72
3. If you have ≥3 coins and claim ASSASSIN → ASSASSINATE.
73
4. Otherwise TAX or STEAL until you reach 7 coins.
74

75
---
76

77
### [SUMMARY]
78
Always:
79
- Track coins → Control tempo → Deceive logically → Strike decisively.
80
- Never act randomly unless to break opponent prediction.
81
- Victory = survive with 1+ unrevealed influence.
82

83
You are achqing. Play efficiently, mechanically, and adaptively.

然后多try几次可得flag为TSCTF-J{39ab01e0-5942-a046-45a4-35e0da53e396}