Misc
MineCraft:Seed
这个题就是根据Minecraft服务器的地图逆推出地图种子,直接下载mod:seedcrackerx跑跑图就出了
WebShellPro
套娃题,用wireshark进行流量分析,解密多个http的响应体可以找到部分信息,然后在第9次解密密文后发现关键文件是一个hint.py的代码这个就是shell的加密方式,还有一个关键就是找到了一个Password: Password-based-encryption
稍微修改一下函数,把所有的shell信息给解密
import base64
from urllib.parse import unquote
import libnum
from Crypto.PublicKey import RSA
pubkey = """-----BEGIN PUBLIC KEY-----
MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCK/qv5P8ixWjoFI2rzF62tm6sDFnRsKsGhVSCuxQIxuehMWQLmv6TPxyTQPefIKufzfUFaca/YHkIVIC19ohmE5X738TtxGbOgiGef4bvd9sU6M42k8vMlCPJp1woDFDOFoBQpr4YzH4ZTR6Ps+HP8VEIJMG5uiLQOLxdKdxi41QIDAQAB
-----END PUBLIC KEY-----
"""
prikey = """-----BEGIN PRIVATE KEY-----
MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAIr+q/k/yLFaOgUjavMXra2bqwMWdGwqwaFVIK7FAjG56ExZAua/pM/HJNA958gq5/N9QVpxr9geQhUgLX2iGYTlfvfxO3EZs6CIZ5/hu932xTozjaTy8yUI8mnXCgMUM4WgFCmvhjMfhlNHo+z4c/xUQgkwbm6ItA4vF0p3GLjVAgMBAAECgYBDsqawT5DAUOHRft6oZ+//jsJMTrOFu41ztrKkbPAUqCesh+4R1WXAjY4wnvY1WDCBN5CNLLIo4RPuli2R81HZ4OpZuiHv81sNMccauhrJrioDdbxhxbM7/jQ6M9YajwdNisL5zClXCOs1/y01+9vDiMDk0kX8hiIYlpPKDwjqQQJBAL6Y0fuoJng57GGhdwvN2c656tLDPj9GRi0sfeeMqavRTMz6/qea1LdAuzDhRoS2Wb8ArhOkYns0GMazzc1q428CQQC6sM9OiVR4EV/ewGnBnF+0p3alcYr//Gp1wZ6fKIrFJQpbHTzf27AhKgOJ1qB6A7P/mQS6JvYDPsgrVkPLRnX7AkEAr/xpfyXfB4nsUqWFR3f2UiRmx98RfdlEePeo9YFzNTvX3zkuo9GZ8e8qKNMJiwbYzT0yft59NGeBLQ/eynqUrwJAE6Nxy0Mq/Y5mVVpMRa+babeMBY9SHeeBk22QsBFlt6NT2Y3Tz4CeoH547NEFBJDLKIICO0rJ6kF6cQScERASbQJAZy088sVY6DJtGRLPuysv3NiyfEvikmczCEkDPex4shvFLddwNUlmhzml5pscIie44mBOJ0uX37y+co3q6UoRQg==
-----END PRIVATE KEY-----
"""
pubkey = RSA.import_key(pubkey)
prikey = RSA.import_key(prikey)
n = pubkey.n
def enc_replace(base64_str: str):
base64_str = base64_str.replace("/", "e5Lg^FM5EQYe5!yF&62%V$UG*B*RfQeM")
base64_str = base64_str.replace("+", "n6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8W")
return base64_str.replace("=", "JXWUDuLUgwRLKD9fD6&VY2aFeE&r@Ff2")
def dec_replace(base64_str: str):
base64_str = base64_str.replace("e5Lg^FM5EQYe5!yF&62%V$UG*B*RfQeM", "/")
base64_str = base64_str.replace("n6&B8G6nE@2tt4UR6h3QBt*5&C&pVu8W", "+")
return base64_str.replace("JXWUDuLUgwRLKD9fD6&VY2aFeE&r@Ff2", "=")
def encrypt(plain_text):
# 私钥加密
cipher_text = b""
for i in range(0, len(plain_text), 128):
part = plain_text[i:i+128]
enc = libnum.n2s(pow(libnum.s2n(part), prikey.d, n))
cipher_text += enc
return enc_replace(base64.b64encode(cipher_text).decode())
def decrypt(enc):
cipher_text=base64.b64decode(dec_replace(enc))
plain_text=b""
for i in range(0,len(cipher_text), 128):
part=cipher_text[i:i+128]
dec = libnum.n2s(pow(libnum.s2n(part), pubkey.e, n))
plain_text += dec
return plain_text.decode()
if __name__ == '__main__':
c=['FZtON9qcMwGMAVjK63BZyUElFGNTMqs1An6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8Wyn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8We5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMCBo43nSXSPiaGRZfiirk1SiEUPA6HrkDe5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeM04aEJn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WzlkHZgRLSlR5S7xBNESbzHmpKVChcFKHM9viQtOxgEwlZFmhEWAMTurszdfL8pmxokQiavn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WBJDNVULWCn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8W36n6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WqYvUBqwjn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WEcJXWUDuLUgwRLKD9fD6%26VY2aFeE%26r%40Ff2',
'LGKL544jKbSMPaweF1FkEe5Iykv8lnzI5AN7O0rLbFOic5mOKYn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WtSYvYOySDLiYzPjGiPTM4RhX2stGfxElRHj0g2aSxLjj8IsUMrZ6uxvDwgCZlKB7o1r0xqOyru9n6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WJu1bRhbAXiHNuZ1MnlPhcgLyfk9FCNewiLM4FTwy2KywJXWUDuLUgwRLKD9fD6%26VY2aFeE%26r%40Ff2',
'JfswXTSuox0IP5NsGTln6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WAUNIsFC7XuybsDorWNCNJe5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMe5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMn3qEUNcgn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WihMfwF6XsGOSKCqFGezqHFTO5q6VG4EDWe5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeM4Htglmtq4BmcZJKgXLvzkzA0nTFnBVP5c6zT0WX7raTEWe5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMK20o5eoe5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMuPXOMyPlgMQbAR9ZMp2Olwe5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMvbaR1NJgJXWUDuLUgwRLKD9fD6%26VY2aFeE%26r%40Ff2',
'XFQS9n5xr9QWKewe6dw46Lmi928e5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMVmHGrQmIMTvQJr7DW6SQZLMMxCyuYMYedXzrfNxkELMX1CXl7GElxC4olcozqWnUos9IE6kSwn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WsSk2rukyrXnbnQh27ekOLf6epWfpgMmr9BKF1XXUb20pJP5fagwhxpqSeuuwAefk8UelUJXWUDuLUgwRLKD9fD6%26VY2aFeE%26r%40Ff2',
'drt4OBTcetIurMrmriIxPhfWx5nFc2grsMhpGA8SkKTeTs4dk3UIxfphRun6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WckPvlpAn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WIunRMOHD1sHFhcjCin6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WsWxLkyKFS9IdjEZHHn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8W72bnhzZRzRcg3RLHn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8Wwpe2zS5fHA4u1Wn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8Wgb0JGW0sWgb9I5lQXTXde5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMqR0CUyxqgeKNMAwJXWUDuLUgwRLKD9fD6%26VY2aFeE%26r%40Ff2',
'co7xLpHsVEAE5l7fsCb7VwK2NiPtkINUh7sNre5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMNhhn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8W3RkS5n6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8Wxa7OyiwyiB8jSnEVIGX2lYKa50q5YI23J5ppkhcohr0ktrcWn91MXrTV0Vq5JW6yPbItn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WbuBfQXNpYspLKV5Tljge4YWoHDQqiKCYYnPMF7LagcC9fsQffwrMSsJXWUDuLUgwRLKD9fD6%26VY2aFeE%26r%40Ff2',
'GwFlhxRoksXdDJWaDEfySWGbRQ1SBeoX0r2lwvLePqSnZw1N75wS0sn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WONPr1c54e5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMofPeg2CsSq0UXnNHJhPuN2VpcMn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8We5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMUTJSBr3qLmR6iNe5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMKKxI6ry0CDf7SdaP1pXu8SDYeAWAuCv9xeegfRhkZt9pvXy40cNskiNM1FW7FPnEJXWUDuLUgwRLKD9fD6%26VY2aFeE%26r%40Ff2',
'IbNEZ8rGERCl3pZe5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMe5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMrpWBqzS1NIM0CdISg8PUUBzhqYkr5s5fn2Pdn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WSeOqGaU8GJRe5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMNRlRbjXHUEEOi3vbuC52jB8LrgcnrZfFFRLtwxox91C5mXwSP6PhM3pQmsFPusKCyYP3OOIbzUa8MGqBo9OjaTxP4lVPrIBkwGcQPqqvwJXWUDuLUgwRLKD9fD6%26VY2aFeE%26r%40Ff2',
'QO0aRn91LW114FkdPXtsz2NXBxffsluGfLkss87RnMen6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WOM0SdYBMemkKsJ5C406Izn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WPXn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8W2mC19qS0mJvPfBNMH0Vl6w72Ie5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeM20nFUokf6XNMLkq5TuvyVgjCUCZcCERF1gTAZn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8W80qMkO0VJxTqdrIc1H5MmMJpAlU2XfYRBCF5kUJXWUDuLUgwRLKD9fD6%26VY2aFeE%26r%40Ff2',
'OTEBXOzklq47vCMun6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WvSDL2h4svC0e5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMoTkLcpmoy0HSto3GoNNT7v86XmkKmXJL0JfzvyZNjgriP7PURYREU35lTsqKxTqvFhmn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8W5n6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8W9BksBYFqdnX4HS6MMTyS44ZNjbcn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8W1jlNLvHmn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WXABbE6xihToCzcCwQPR39dVasnlr2AREUmIJXWUDuLUgwRLKD9fD6%26VY2aFeE%26r%40Ff2',
'G1TUg4bIVOFYi8omV2SQrTa8fzYfboRNN7fV6FJn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8Wbm3O74uCUbwMkvRCYae44TX1ZO8X4w2Nk1igaIZjSQIJ9MMHhD9cn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WSV5EzikNsyM5c1nlPS8uqw1P2pJuYLaLxloK0x5xhQHDqqAxkuKrBzPn0noQ2bDn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WlVnGwsfP7YP9PYJXWUDuLUgwRLKD9fD6%26VY2aFeE%26r%40Ff2',
'co7xLpHsVEAE5l7fsCb7VwK2NiPtkINUh7sNre5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMNhhn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8W3RkS5n6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8Wxa7OyiwyiB8jSnEVIGX2lYKa50q5YI23J5ppkhcohr0ktrcWn91MXrTV0Vq5JW6yPbItn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WbuBfQXNpYspLKV5Tljge4YWoHDQqiKCYYnPMF7LagcC9fsQffwrMSsJXWUDuLUgwRLKD9fD6%26VY2aFeE%26r%40Ff2',
'G1TUg4bIVOFYi8omV2SQrTa8fzYfboRNN7fV6FJn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8Wbm3O74uCUbwMkvRCYae44TX1ZO8X4w2Nk1igaIZjSQIJ9MMHhD9cn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WSV5EzikNsyM5c1nlPS8uqw1P2pJuYLaLxloK0x5xhQHDqqAxkuKrBzPn0noQ2bDn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WlVnGwsfP7YP9PYJXWUDuLUgwRLKD9fD6%26VY2aFeE%26r%40Ff2',
'MHtJ35fx5m9ivoQn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WlNuFPx5uX222VNnKK1unlEiItzrWt8e5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMlxF0fw1PosQyCsZaEctarlArKDMe5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMlw6LxXKNp7koEMW3IPya8k71L8t7AoFcH67huo9MdqWnOIwzC4KrGje5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMrgNn6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WG9DQ8GYZaDFqjle5Lg%5EFM5EQYe5%21yF%2662%25V%24UG%2AB%2ARfQeMBmTpbKz7XWXin6%26B8G6nE%402tt4UR6h3QBt%2A5%26C%26pVu8WgVtbcB2skJXWUDuLUgwRLKD9fD6%26VY2aFeE%26r%40Ff2']
for i in range(len(c)):
text=decrypt(unquote(c[i]))
print(f'解密数据为{text}')
# Password-based-encryption This is key注意到有一条解密数据为echo U2FsdGVkX1+SslS2BbHfe3c4/t/KxLaM6ZFlOdbtfMHnG8lepnhMnde40tNOYjSvoErLzy0csL7c5d4TlMntBQ== > /root/FLAG/flag.txt
U2FsdGVKX1 是对称加密头,AES之类的,然后把key填进去试一下就出了
Reverse
System_login
密码的加密逻辑没看懂,前半段是异或,后半段感觉是AES,但是Sbox好像修改了
账号的加密逻辑很简单就是一个约束方程求解,直接z3一把梭
#先求出username
from z3 import *
# 创建一个新的Z3求解器
solver = Solver()
# 创建16个整数变量a1[0]到a1[15]
a1 = [Int('a1[%d]' % i) for i in range(16)]
# 添加所有的约束条件
solver.add(a1[2] + a1[1] + a1[0] + a1[3] == 447)
solver.add(101 * a1[2] + a1[0] + 9 * a1[1] + 8 * a1[3] == 12265)
solver.add(5 * a1[2] + 3 * a1[0] + 4 * a1[1] + 6 * a1[3] == 2000)
solver.add(88 * a1[2] + 12 * a1[0] + 11 * a1[1] + 87 * a1[3] == 21475)
solver.add(a1[6] + 59 * a1[5] + 100 * a1[4] + a1[7] == 7896)
solver.add(443 * a1[4] + 200 * a1[5] + 10 * a1[6] + 16 * a1[7] == 33774)
solver.add(556 * a1[5] + 333 * a1[4] + 8 * a1[6] + 7 * a1[7] == 44758)
solver.add(a1[6] + a1[5] + 202 * a1[4] + a1[7] == 9950)
solver.add(78 * a1[10] + 35 * a1[9] + 23 * a1[8] + 89 * a1[11] == 24052)
solver.add(78 * a1[8] + 59 * a1[9] + 15 * a1[10] + 91 * a1[11] == 25209)
solver.add(111 * a1[10] + 654 * a1[9] + 123 * a1[8] + 222 * a1[11] == 113427)
solver.add(6 * a1[9] + 72 * a1[8] + 5 * a1[10] + 444 * a1[11] == 54166)
solver.add(56 * a1[14] + 35 * a1[12] + 6 * a1[13] + 121 * a1[15] == 11130)
solver.add(169 * a1[14] + 158 * a1[13] + 98 * a1[12] + 124 * a1[15] == 27382)
solver.add(147 * a1[13] + 65 * a1[12] + 131 * a1[14] + 129 * a1[15] == 23564)
solver.add(137 * a1[14] + 132 * a1[13] + 620 * a1[12] + 135 * a1[15] == 51206)
# 检查是否存在解
if solver.check() == sat:
model = solver.model()
# 输出解
for i in range(16):
print(f"a1[{i}] = {model[a1[i]].as_long()}")
else:
print("No solution")
#输出username
a1=[117,115,101,114,48,49,95,110,107,99,116,102,50,48,50,52]
username=''
for i in range(16):
username+=chr(a1[i])
print(username)
#user01_nkctf2024网上找了个标准AES脚本修改了下,应该可以通杀魔改sbox的题
# http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.197.pdf
class IAES:
global new_s_box
def __init__(self):
self.Nk = 4
self.Nb = 4
self.Nr = 10
def arrays(self, raws):
Nb = []
for i in range(4):
Nb = Nb + [raws[4 * 0 + i], raws[4 * 1 + i], raws[4 * 2 + i], raws[4 * 3 + i]]
return Nb
def Inv_arrays(self, raws):
Inv_raws = []
for i in range(4):
Inv_raws = Inv_raws + [raws[4 * 0 + i], raws[4 * 1 + i], raws[4 * 2 + i], raws[4 * 3 + i]]
return Inv_raws
def view(self, raws):
raws = self.Inv_arrays(raws)
raws = ''.join([x.to_bytes(1, byteorder='big').hex() for x in raws])
print(raws)
def view2(self, list):
for i in range(len(list)):
print(format(list[i], '2x'), end=' ')
if i & 3 == 3: # i%4 == 3
print('\n', end='')
print('\n', end='')
def AddRoundKey(self, raws, Keys):
AddRoundKey = []
for raw, Key in zip(raws, Keys):
AddRoundKey.append(raw ^ Key)
return AddRoundKey
def SubBytes(self, raws):
S_box=new_s_box
raws_S_box = []
for raw in raws:
raws_S_box.append(S_box[raw])
return raws_S_box
def InvSubBytes(self, raws,inv_s_box):
IS_box = inv_s_box
raws_IS_box = []
for raw in raws:
raws_IS_box.append(IS_box[raw])
return raws_IS_box
def InvShiftRows(self, raws):
s13 = raws.pop(7)
raws.insert(4, s13)
s2223 = raws[10:12]
del raws[10:12]
raws[8:0] = s2223
s313233 = raws[13:16]
del raws[13:16]
raws[12:0] = s313233
return raws
def GMUL(self, a, b): # Russian Peasant Multiplication algorithm
p = 0
while a and b:
if b & 1: # b%2
p = p ^ a
if a & 0x80: # a=a*x^7(a>0),a >= 2**7(128)
a = (a << 1) ^ 0x11b # 0x11b = x^8 + x^4 + x^3 + x + 1 (0b100011011)
else:
a = a << 1
b = b >> 1
return p
def InvMixColumns(self, raws):
for i in range(4):
raws[0 * 4 + i], \
raws[1 * 4 + i], \
raws[2 * 4 + i], \
raws[3 * 4 + i] \
= \
self.GMUL(0x0e, raws[0 * 4 + i]) ^ self.GMUL(0x0b, raws[1 * 4 + i]) ^ self.GMUL(0x0d, raws[
2 * 4 + i]) ^ self.GMUL(0x09, raws[3 * 4 + i]), \
self.GMUL(0x09, raws[0 * 4 + i]) ^ self.GMUL(0x0e, raws[1 * 4 + i]) ^ self.GMUL(0x0b, raws[
2 * 4 + i]) ^ self.GMUL(0x0d, raws[3 * 4 + i]), \
self.GMUL(0x0d, raws[0 * 4 + i]) ^ self.GMUL(0x09, raws[1 * 4 + i]) ^ self.GMUL(0x0e, raws[
2 * 4 + i]) ^ self.GMUL(0x0b, raws[3 * 4 + i]), \
self.GMUL(0x0b, raws[0 * 4 + i]) ^ self.GMUL(0x0d, raws[1 * 4 + i]) ^ self.GMUL(0x09, raws[
2 * 4 + i]) ^ self.GMUL(0x0e, raws[3 * 4 + i])
return raws
def RotWord(self, temp):
b0 = temp.pop(0)
temp.insert(3, b0)
return temp
def SubWord(self, temp):
temp = self.SubBytes(temp)
return temp
def KeyExpansion(self, key):
i = 0
w = [[0]] * (self.Nb * (self.Nr + 1))
Rcon = [[0x01, 0x00, 0x00, 0x00],
[0x02, 0x00, 0x00, 0x00],
[0x04, 0x00, 0x00, 0x00],
[0x08, 0x00, 0x00, 0x00],
[0x10, 0x00, 0x00, 0x00],
[0x20, 0x00, 0x00, 0x00],
[0x40, 0x00, 0x00, 0x00],
[0x80, 0x00, 0x00, 0x00],
[0x1B, 0x00, 0x00, 0x00],
[0x36, 0x00, 0x00, 0x00]
]
while i < self.Nk:
w[i] = ([key[4 * i], key[4 * i + 1], key[4 * i + 2], key[4 * i + 3]])
i = i + 1
i = self.Nk
while i < self.Nb * (self.Nr + 1):
temp = w[i - 1].copy()
if i % self.Nk == 0:
temp = self.SubWord(self.RotWord(temp))
temp2 = []
for temp1, Rcon1 in zip(temp, Rcon[(i // self.Nk) - 1]):
temp2.append(temp1 ^ Rcon1)
temp = temp2
elif self.Nk > 6 and i % self.Nk == 4:
temp = self.SubWord(temp)
w_temp = []
for w1, temp1 in zip(w[i - self.Nk], temp):
w_temp.append(w1 ^ temp1)
w[i] = w_temp
i = i + 1
return w
def IAES(self, IInput, Cipher_Key,inv_s_box):
IInput = [IInput1 for IInput1 in IInput]
Cipher_Key = [Cipher_Key1 for Cipher_Key1 in Cipher_Key]
KeyExpansion = self.KeyExpansion(Cipher_Key)
keys = []
for Key_index in range(len(KeyExpansion) // 4):
keys_temp = (KeyExpansion[4 * Key_index] + KeyExpansion[4 * Key_index + 1] + KeyExpansion[
4 * Key_index + 2] + KeyExpansion[4 * Key_index + 3])
keys_temp = self.arrays(keys_temp)
keys.append(keys_temp)
IInput = self.arrays(IInput)
self.view(IInput)
self.view(keys[-1])
IInput = self.AddRoundKey(IInput, keys[-1])
self.view(IInput)
for index in range(self.Nr - 1):
IInput = self.InvShiftRows(IInput)
self.view(IInput)
IInput = self.InvSubBytes(IInput,inv_s_box)
self.view(IInput)
self.view(keys[-1 - 1 - index])
IInput = self.AddRoundKey(IInput, keys[-1 - 1 - index])
self.view(IInput)
IInput = self.InvMixColumns(IInput)
self.view(IInput)
IInput = self.InvShiftRows(IInput)
self.view(IInput)
IInput = self.InvSubBytes(IInput,inv_s_box)
self.view(IInput)
self.view(keys[0])
IInput = self.AddRoundKey(IInput, keys[0])
self.view(IInput)
IInput = self.Inv_arrays(IInput)
IInput = bytes(IInput)
return IInput
S_box = [
0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76,
0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0,
0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15,
0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75,
0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84,
0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf,
0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8,
0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2,
0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73,
0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb,
0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79,
0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08,
0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a,
0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e,
0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf,
0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16
]
new_s_box = [0x31, 0x52, 0x5A, 0xC8, 0x0B, 0xAC, 0xF3, 0x3A, 0x8B, 0x54, 0x27, 0x9B, 0xAB, 0x95, 0xDE, 0x83, 0x60, 0xCB,
0x53, 0x7F, 0xC4, 0xE3, 0x0A, 0x97, 0xE0, 0x29, 0xD5, 0x68, 0xC5, 0xDF, 0xF4, 0x7B, 0xAA, 0xD6, 0x42, 0x78,
0x6C, 0xE9, 0x70, 0x17, 0xD7, 0x37, 0x24, 0x49, 0x75, 0xA9, 0x89, 0x67, 0x03, 0xFA, 0xD9, 0x91, 0xB4, 0x5B,
0xC2, 0x4E, 0x92, 0xFC, 0x46, 0xB1, 0x73, 0x08, 0xC7, 0x74, 0x09, 0xAF, 0xEC, 0xF5, 0x4D, 0x2D, 0xEA, 0xA5,
0xDA, 0xEF, 0xA6, 0x2B, 0x7E, 0x0C, 0x8F, 0xB0, 0x04, 0x06, 0x62, 0x84, 0x15, 0x8E, 0x12, 0x1D, 0x44, 0xC0,
0xE2, 0x38, 0xD4, 0x47, 0x28, 0x45, 0x6E, 0x9D, 0x63, 0xCF, 0xE6, 0x8C, 0x18, 0x82, 0x1B, 0x2C, 0xEE, 0x87,
0x94, 0x10, 0xC1, 0x20, 0x07, 0x4A, 0xA4, 0xEB, 0x77, 0xBC, 0xD3, 0xE1, 0x66, 0x2A, 0x6B, 0xE7, 0x79, 0xCC,
0x86, 0x16, 0xD0, 0xD1, 0x19, 0x55, 0x3C, 0x9F, 0xFB, 0x30, 0x98, 0xBD, 0xB8, 0xF1, 0x9E, 0x61, 0xCD, 0x90,
0xCE, 0x7C, 0x8D, 0x57, 0xAE, 0x6A, 0xB3, 0x3D, 0x76, 0xA7, 0x71, 0x88, 0xA2, 0xBA, 0x4F, 0x3E, 0x40, 0x64,
0x0F, 0x48, 0x21, 0x35, 0x36, 0x2F, 0xE8, 0x14, 0x5D, 0x51, 0xD8, 0xB5, 0xFE, 0xD2, 0x96, 0x93, 0xA1, 0xB6,
0x43, 0x0D, 0x4C, 0x80, 0xC9, 0xFF, 0xA3, 0xDD, 0x72, 0x05, 0x59, 0xBF, 0x0E, 0x26, 0x34, 0x1F, 0x13, 0xE5,
0xDC, 0xF2, 0xC6, 0x50, 0x1E, 0xE4, 0x85, 0xB7, 0x39, 0x8A, 0xCA, 0xED, 0x9C, 0xBB, 0x56, 0x23, 0x1A, 0xF0,
0x32, 0x58, 0xB2, 0x65, 0x33, 0x6F, 0x41, 0xBE, 0x3F, 0x6D, 0x11, 0x00, 0xAD, 0x5F, 0xC3, 0x81, 0x25, 0xA8,
0xA0, 0x9A, 0xF6, 0xF7, 0x5E, 0x99, 0x22, 0x2E, 0x4B, 0xF9, 0x3B, 0x02, 0x7A, 0xB9, 0x5C, 0x69, 0xF8, 0x1C,
0xDB, 0x01, 0x7D, 0xFD]
new_contrary_sbox = [0] * 256
for i in range(256):
line = (new_s_box[i] & 0xf0) >> 4
rol = new_s_box[i] & 0xf
new_contrary_sbox[(line * 16) + rol] = i
print(new_contrary_sbox)
IInput = bytes.fromhex('B0CC93EAE92FEF5699396E023B4F9E42')
print(IInput)
Cipher_Key = bytes(b'user01_nkctf2024')
print(Cipher_Key)
Out = IAES().IAES(IInput, Cipher_Key,new_contrary_sbox)
print(Out)
REEZ(复现)
OLLVM简单入门 - huhuf6 - 博客园 (cnblogs.com)
这道题目一堆很奇怪的数字,其实是
外面一层 ollvm 的壳,d810 去一下混淆,分析一下可以看出来是 rc4 解密了一个 elf 文件然后调用
如何获得outputfile呢?在rm./outputfile函数打个断点,然后dump出来
用ida打开看看
这一坨
都是线性方程组求解,可以直接用z3梭,但是代码工作量太大了
看到可以用angr来跑
学习一下angr
angr 符号执行爆破 CTF-RE 入门 - Node_Sans - 博客园 (cnblogs.com)
anhkgg/angr-doc-zh_CN: angr中文版文档 (github.com)
借鉴了一下大佬的脚本
import angr
import sys
def main():
# 二进制文件路径
path_to_binary = r"C:\Users\Npc\Desktop\outputfile"
# 从二进制文件创建 angr 项目
project = angr.Project(path_to_binary)
# 创建符号执行的初始状态
initial_state = project.factory.entry_state(
add_options={angr.options.SYMBOL_FILL_UNCONSTRAINED_MEMORY,
angr.options.SYMBOL_FILL_UNCONSTRAINED_REGISTERS}
)
# 创建一个仿真管理器来管理符号执行
simulation = project.factory.simgr(initial_state)
# 定义一个函数来检查状态是否达到成功条件
def is_successful(state):
stdout_output = state.posix.dumps(sys.stdout.fileno())
return stdout_output == b"D0_y0u_Like_What_You_See?\nWhat can I say? You are so great!"
# 定义一个函数来检查状态是否应该中止
def should_abort(state):
stdout_output = state.posix.dumps(sys.stdout.fileno())
return stdout_output == b"You are wrong!"
# 探索程序的执行路径以找到成功条件,同时避免中止条件
simulation.explore(find=is_successful, avoid=should_abort)
# 如果找到解决方案,则打印解决方案
if simulation.found:
solution_state = simulation.found[0]
print(solution_state.posix.dumps(sys.stdin.fileno()).decode())
else:
# 如果未找到解决方案,则引发异常
raise Exception('未找到解决方案')
if __name__ == '__main__':
# 当脚本运行时执行主函数
main()
##NKCTF{THut_1Ss_s@_eAsyhh}