登陆 / 注册
重置密码
首页 文章 Pwn CTF对抗-2022DASCTF Apr X FATE 防疫挑战赛-Reverse-奇怪的交易
CTF对抗-2022DASCTF Apr X FATE 防疫挑战赛-Reverse-奇怪的交易
推荐 原创2022DASCTF Apr X FATE 防疫挑战赛-Reverse-奇怪的交易
那天做了挺久,最后终于搞出来了:)
1.放到ida中判断出该文件使用pyinstaller打包
2.使用pyinstxtractor对exe进行反编译
3.得到奇怪的交易.pyc和PYZ-00.pyz_extracted文件夹中的pyc文件
4.反编译pyimod00_crypto_key.pyc,得到pyc.encrypted加密密钥为0000000000000tea
|
1
2
|
#!/usr/bin/env python
key
=
'0000000000000tea'
|
5.使用tinyaes对cup.pyc.encrypted进行解密,得到解密后的pyc
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
|
#!/usr/bin/env python3
import
tinyaes
import
zlib
CRYPT_BLOCK_SIZE
=
16
# key obtained from pyimod00_crypto_key
key
=
bytes(
'0000000000000tea'
,
'utf-8'
)
inf
=
open
(
'cup.pyc.encrypted'
,
'rb'
)
# encrypted file input
outf
=
open
(
'cup310.pyc'
,
'wb'
)
# output file
# Initialization vector
iv
=
inf.read(CRYPT_BLOCK_SIZE)
cipher
=
tinyaes.AES(key, iv)
# Decrypt and decompress
plaintext
=
zlib.decompress(cipher.CTR_xcrypt_buffer(inf.read()))
# Write pyc header
# The header below is for Python 3.10
outf.write(b
'\x6f\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0'
)
# Write decrypted data
outf.write(plaintext)
inf.close()
outf.close()
|
6.反编译奇怪的交易.pyc和cup.pyc,得到main函数和encrypt函数。判断出加密函数为xxtea加密算法,得到加密的密文和密钥。
main函数不完整,但是猜测bbb就是xxtea加密后的密文,[54,54,54,54]就是密钥。
cup.py文件源码:
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
import
libnum
from
ctypes
import
*
def
MX(z, y, total, key, p, e):
temp1
=
(z.value >>
5
^ y.value <<
2
)
+
(y.value >>
3
^ z.value <<
4
)
temp2
=
(total.value ^ y.value)
+
(key[p &
3
^ e.value] ^ z.value)
return
c_uint32(temp1 ^ temp2)
def
encrypt(v, k, z):
delte
=
0x9E3779B9L
ᘛ
=
6
+
52
/
/
v
total
=
c_uint32(
0
)
ᘔ
=
c_uint32(k[v
-
1
])
ᘕ
=
c_uint32(
0
)
if
ᘛ >
0
:
total.value
+
=
delte
ᘕ.value
=
total.value >>
2
&
3
ᘚ
=
c_uint32(k[
0
])
k[v
-
1
]
=
c_uint32(k[v
-
1
]
+
MX(ᘔ, ᘚ, total, z, v
-
1
, ᘕ).value).value
ᘔ.value
=
k[v
-
1
]
ᘛ
-
=
1
if
not
ᘛ >
0
:
return
k
|
反编译奇怪的交易.py文件源码:(源码不完整)
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
|
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
from
cup
import
*
if
__name__
=
=
'__main__'
:
flag
=
input
(
'\xe8\xaf\xb7\xe8\xbe\x93\xe5\x85\xa5flag'
)
pub_key
=
[
0x649EE967E7916A825CC9FD3320BEABF263BEAC68C080F52824A0F521EDB6B78577EC52BF1C9E78F4BB71192F9A23F1A17AA76E5979E4D953329D3CA65FB4A71DA57412B59DFD6AEDF0191C5555D3E5F582B81B5E6B23163E9889204A81AFFDF119FE25C92F4ED59BD3285BCD7AAE14824240D2E33C5A97848F4EB7AAC203DE6330D2B4D8FF61691544FBECD120F99A157B3D2F58FA51B2887A9D06CA383C44D071314A12B17928B96F03A06E959A5AFEFA0183664F52CD32B9FC72A04B45913FCB2D5D2D3A415A14F611CF1EAC2D6C785142A8E9CC41B67A6CD85001B06EDB8CA767D367E56E0AE651491BF8A8C17A38A1835DB9E4A9292B1D86D5776C98CC25
,
0x647327833ACFEF1F9C83E74E171FC300FA347D4A6769476C33DA82C95120ACB38B62B33D429206FE6E9BB0BB7AB748A1036971BEA36EC47130B749C1C9FF6FE03D0F7D9FC5346EB0E575BDFA6C530AA57CD676894FC080D2DD049AB59625F4B9C78BCFD95CDCD2793E440E26E189D251121CB6EB177FEDB596409034E8B0C5BBD9BD9342235DBB226C9170EFE347FF0FD2CFF9A1F7B647CC83E4D8F005FD7125A89251C768AFE70BDD54B88116814D5030F499BCAC4673CCCC342FB4B6AC58EA5A64546DC25912B6C430529F6A7F449FD96536DE269D1A1B015A4AC6B6E46EE19DCE8143726A6503E290E4BAE6BD78319B5878981F6CFFDB3B818209341FD68B
]
m
=
libnum.s2n(flag)
c
=
str
(
pow
(m, pub_key[
1
], pub_key[
0
]))
aaa
=
[]
bbb
=
[
0xD28ED952
,
1472742623
,
0xD91BA938
,
0xF9F3BD2D
,
0x8EF8E43D
,
617653972
,
1474514999
,
1471783658
,
1012864704
,
0xD7821910
,
993855884
,
438456717
,
0xC83555B7
,
0xE8DFF468
,
198959101
,
0xC5B84FEB
,
0xD9F837C6
,
613157871
,
0x8EFA4EDD
,
97286225
,
0x8B4B608C
,
1471645170
,
0xC0B62792
,
583597118
,
0xAAB1C22D
,
0xBDB9C266
,
1384330715
,
0xAE9F9816
,
0xD1F40B3C
,
0x8206DDC3
,
0xC4E0BADC
,
0xE407BD26
,
145643141
,
0x8016C6A5
,
0xAF4AB9D3
,
506798154
,
994590281
,
0x85082A0B
,
0xCA0BC95A
,
0xA7BE567C
,
1105937096
,
1789727804
,
0xDFEFB591
,
0x93346B38
,
1162286478
,
680814033
,
0xAEE1A7A2
,
0x80E574AE
,
0xF154F55F
,
2121620700
,
0xFCBDA653
,
0x8E902444
,
0xCA742E12
,
0xB8424071
,
0xB4B15EC2
,
0x943BFA09
,
0xBC97CD93
,
1285603712
,
798920280
,
0x8B58328F
,
0xF9822360
,
0xD1FD15EE
,
1077514121
,
1436444106
,
0xA2D6C17E
,
1507202797
,
500756149
,
198754565
,
0x8E014807
,
880454148
,
1970517398
,
0xBFC6EE25
,
1161840191
,
560498076
,
1782600856
,
0x9D93FEBE
,
1285196205
,
788797746
,
1195724574
,
0xF2174A07
,
103427523
,
0x952BFE83
,
0xF730AC4C
,
617564657
,
978211984
,
1781482121
,
0x8379D23A
,
0xEAD737EE
,
0xE41555FB
,
659557668
,
0x99F3B244
,
1561884856
,
0x842C31A4
,
1189296962
,
169145316
,
0xA5CE044C
,
1323893433
,
824667876
,
408202876
,
0xE0178482
,
0xF412BBBC
,
1508996065
,
162419237
,
0xDE740B00
,
0xB7CB64FD
,
0xEBCADB1F
,
0x8EAE2326
,
0x933C216C
,
0xD7D1F649
,
481927014
,
0xA448AC16
,
0xBC082807
,
1261069441
,
2063238535
,
0x8474A61D
,
101459755
,
0xBC5654D1
,
1721190841
,
1078395785
,
176506553
,
0xD3C5280F
,
1566142515
,
1938949000
,
1499289517
,
0xC59872F8
,
829714860
,
0xE51502A2
,
952932374
,
1283577465
,
2045007203
,
0xEBE6A798
,
0xE09575CD
,
0xADDF4157
,
0xC4770191
,
482297421
,
1734231412
,
0xDAC71054
,
0x99807E43
,
0xA88D74B1
,
0xCB77E028
,
1533519803
,
0xEEEBC3B6
,
0xE7E680E5
,
272960248
,
317508587
,
0xC4B10CDC
,
0x91776399
,
27470488
,
1666674386
,
1737927609
,
750987808
,
0x8E364D8F
,
0xA0985A77
,
562925334
,
0x837D6DC3
]
i
=
0
if
i <
len
(c):
ᘞ
=
0
aaa.append(ᘞ)
i
+
=
4
if
not
i < en(c):
ᘝ
=
[
54
,
54
,
54
,
54
]
ccc
=
len
(aaa)
res
=
encrypt(ccc, aaa, ᘝ)
if
aaa
=
=
bbb:
print
(
'You are right!'
)
input
('')
quit()
print
(
'Why not drink a cup of tea and have a rest?'
)
continue
|
7.对密文进行解密,得到flag变换后的明文
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
|
from
ctypes
import
*
def
MX(z, y, total, key, p, e):
temp1
=
(z.value>>
5
^ y.value<<
2
)
+
(y.value>>
3
^ z.value<<
4
)
temp2
=
(total.value ^ y.value)
+
(key[(p&
3
) ^ e.value] ^ z.value)
return
c_uint32(temp1 ^ temp2)
def
decrypt(n, v, key):
delta
=
0x9e3779b9
rounds
=
6
+
52
/
/
n
total
=
c_uint32(rounds
*
delta)
y
=
c_uint32(v[
0
])
e
=
c_uint32(
0
)
while
rounds >
0
:
e.value
=
(total.value >>
2
) &
3
for
p
in
range
(n
-
1
,
0
,
-
1
):
z
=
c_uint32(v[p
-
1
])
v[p]
=
c_uint32((v[p]
-
MX(z,y,total,key,p,e).value)).value
y.value
=
v[p]
z
=
c_uint32(v[n
-
1
])
v[
0
]
=
c_uint32(v[
0
]
-
MX(z,y,total,key,
0
,e).value).value
y.value
=
v[
0
]
total.value
-
=
delta
rounds
-
=
1
return
v
import
binascii
if
__name__
=
=
"__main__"
:
v
=
[
0xD28ED952
,
1472742623
,
0xD91BA938
,
0xF9F3BD2D
,
0x8EF8E43D
,
617653972
,
1474514999
,
1471783658
,
1012864704
,
0xD7821910
,
993855884
,
438456717
,
0xC83555B7
,
0xE8DFF468
,
198959101
,
0xC5B84FEB
,
0xD9F837C6
,
613157871
,
0x8EFA4EDD
,
97286225
,
0x8B4B608C
,
1471645170
,
0xC0B62792
,
583597118
,
0xAAB1C22D
,
0xBDB9C266
,
1384330715
,
0xAE9F9816
,
0xD1F40B3C
,
0x8206DDC3
,
0xC4E0BADC
,
0xE407BD26
,
145643141
,
0x8016C6A5
,
0xAF4AB9D3
,
506798154
,
994590281
,
0x85082A0B
,
0xCA0BC95A
,
0xA7BE567C
,
1105937096
,
1789727804
,
0xDFEFB591
,
0x93346B38
,
1162286478
,
680814033
,
0xAEE1A7A2
,
0x80E574AE
,
0xF154F55F
,
2121620700
,
0xFCBDA653
,
0x8E902444
,
0xCA742E12
,
0xB8424071
,
0xB4B15EC2
,
0x943BFA09
,
0xBC97CD93
,
1285603712
,
798920280
,
0x8B58328F
,
0xF9822360
,
0xD1FD15EE
,
1077514121
,
1436444106
,
0xA2D6C17E
,
1507202797
,
500756149
,
198754565
,
0x8E014807
,
880454148
,
1970517398
,
0xBFC6EE25
,
1161840191
,
560498076
,
1782600856
,
0x9D93FEBE
,
1285196205
,
788797746
,
1195724574
,
0xF2174A07
,
103427523
,
0x952BFE83
,
0xF730AC4C
,
617564657
,
978211984
,
1781482121
,
0x8379D23A
,
0xEAD737EE
,
0xE41555FB
,
659557668
,
0x99F3B244
,
1561884856
,
0x842C31A4
,
1189296962
,
169145316
,
0xA5CE044C
,
1323893433
,
824667876
,
408202876
,
0xE0178482
,
0xF412BBBC
,
1508996065
,
162419237
,
0xDE740B00
,
0xB7CB64FD
,
0xEBCADB1F
,
0x8EAE2326
,
0x933C216C
,
0xD7D1F649
,
481927014
,
0xA448AC16
,
0xBC082807
,
1261069441
,
2063238535
,
0x8474A61D
,
101459755
,
0xBC5654D1
,
1721190841
,
1078395785
,
176506553
,
0xD3C5280F
,
1566142515
,
1938949000
,
1499289517
,
0xC59872F8
,
829714860
,
0xE51502A2
,
952932374
,
1283577465
,
2045007203
,
0xEBE6A798
,
0xE09575CD
,
0xADDF4157
,
0xC4770191
,
482297421
,
1734231412
,
0xDAC71054
,
0x99807E43
,
0xA88D74B1
,
0xCB77E028
,
1533519803
,
0xEEEBC3B6
,
0xE7E680E5
,
272960248
,
317508587
,
0xC4B10CDC
,
0x91776399
,
27470488
,
1666674386
,
1737927609
,
750987808
,
0x8E364D8F
,
0xA0985A77
,
562925334
,
0x837D6DC3
]
k
=
[
54
]
*
4
n
=
len
(v)
res
=
decrypt(n, v, k)
res1
=
''
for
i
in
res:
j
=
hex
(i)[
2
:]
#print ( binascii.unhexlify(i))
print
( binascii.a2b_hex(j))
res1
+
=
j
#res1 = bytes(res1)
print
(res1)
print
( binascii.a2b_hex(res1) )
|
8.根据代码flag = str( pow(m, pub_key[1], pub_key[0]))等价与求RSA解密后明文。通过pub_key的值发现e和n非常大且十分接近,那么可以利用RSA的维纳攻击直接解出flag。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
|
from
Crypto.Util.number
import
*
from
gmpy2
import
*
from
RSAwienerHacker
import
*
import
libnum
n
=
0x649EE967E7916A825CC9FD3320BEABF263BEAC68C080F52824A0F521EDB6B78577EC52BF1C9E78F4BB71192F9A23F1A17AA76E5979E4D953329D3CA65FB4A71DA57412B59DFD6AEDF0191C5555D3E5F582B81B5E6B23163E9889204A81AFFDF119FE25C92F4ED59BD3285BCD7AAE14824240D2E33C5A97848F4EB7AAC203DE6330D2B4D8FF61691544FBECD120F99A157B3D2F58FA51B2887A9D06CA383C44D071314A12B17928B96F03A06E959A5AFEFA0183664F52CD32B9FC72A04B45913FCB2D5D2D3A415A14F611CF1EAC2D6C785142A8E9CC41B67A6CD85001B06EDB8CA767D367E56E0AE651491BF8A8C17A38A1835DB9E4A9292B1D86D5776C98CC25
e
=
0x647327833ACFEF1F9C83E74E171FC300FA347D4A6769476C33DA82C95120ACB38B62B33D429206FE6E9BB0BB7AB748A1036971BEA36EC47130B749C1C9FF6FE03D0F7D9FC5346EB0E575BDFA6C530AA57CD676894FC080D2DD049AB59625F4B9C78BCFD95CDCD2793E440E26E189D251121CB6EB177FEDB596409034E8B0C5BBD9BD9342235DBB226C9170EFE347FF0FD2CFF9A1F7B647CC83E4D8F005FD7125A89251C768AFE70BDD54B88116814D5030F499BCAC4673CCCC342FB4B6AC58EA5A64546DC25912B6C430529F6A7F449FD96536DE269D1A1B015A4AC6B6E46EE19DCE8143726A6503E290E4BAE6BD78319B5878981F6CFFDB3B818209341FD68B
c
=
10610336534759505889607399322387179316771488492347274741918862678692508953185876570981227584004676580623553664818853686933004290078153620168054665086468417541382824708104480882577200529822968531743002301934310349005341104696887943182074473298650903541494918266823037984054778903666406545980557074219162536057146090758158128189406073809226361445046225524917089434897957301396534515964547462425719205819342172669899546965221084098690893672595962129879041507903210851706793788311452973769358455761907303633956322972510500253009083922781934406731633755418753858930476576720874219359466503538931371444470303193503733920039
d
=
hack_RSA(e,n)
flag
=
long_to_bytes(
pow
(c,d,n))
print
(flag)
b
'flag{You_Need_Some_Tea}'
|
工具来源:
https://github.com/extremecoders-re/pyinstxtractor
https://tool.lu/pyc/
https://github.com/pablocelayes/rsa-wiener-attack
更多【2022DASCTF Apr X FATE 防疫挑战赛-Reverse-奇怪的交易】相关视频教程:www.yxfzedu.com
相关文章推荐
- 编程技术-1994-2021年分行业二氧化碳排放量数据 - 其他
- 编程技术-SFTP远程终端访问 - 其他
- spring-【Spring】SpringBoot配置文件 - 其他
- 算法-“目标值排列匹配“和“背包组合问题“的区别和leetcode例题详解 - 其他
- java-一个轻量级 Java 权限认证框架——Sa-Token - 其他
- 运维-RK3568平台 查看内存的基本命令 - 其他
- 算法-深入理解强化学习——多臂赌博机:梯度赌博机算法的数学证明 - 其他
- apache-Apache Doris 是什么 - 其他
- list-Redis数据结构七之listpack和quicklist - 其他
- css-HTML CSS JS 画的效果图 - 其他
- python-Win10系统下torch.cuda.is_available()返回为False的问题解决 - 其他
- python-定义无向加权图,并使用Pytorch_geometric实现图卷积 - 其他
- git-如何使用git-credentials来管理git账号 - 其他
- prompt-Anaconda Powershell Prompt和Anaconda Prompt的区别 - 其他
- python-Dhtmlx Event Calendar 付费版使用 - 其他
- gpt-ChatGPT、GPT-4 Turbo接口调用 - 其他
- ddos-ChatGPT 宕机?OpenAI 将中断归咎于 DDoS 攻击 - 其他
- junit-Lua更多语法与使用 - 其他
- prompt-Presentation Prompter 5.4.2(mac屏幕提词器) - 其他
- css-CSS 网页布局 - 其他
记录自己的技术轨迹
文章规则:
1):文章标题请尽量与文章内容相符
2):严禁色情、血腥、暴力
3):严禁发布任何形式的广告贴
4):严禁发表关于中国的政治类话题
5):严格遵守中国互联网法律法规
6):有侵权,疑问可发邮件至service@yxfzedu.com
近期原创 更多
- Pwn-从PWN题NULL_FXCK中学到的glibc知识
- 编程技术-快速定位windows堆溢出
- 二进制漏洞-初探内核漏洞:HEVD学习笔记——NullPointerDereference
- 二进制漏洞-初探内核漏洞:HEVD学习笔记——TypeConfusion
- 二进制漏洞-初探内核漏洞:HEVD学习笔记——IntegerOverflow
- 软件逆向-LMCompatibilityLevel 安全隐患
- Android安全-记一次完整的Android native层动态调试--使用avd虚拟机
- 二进制漏洞-零基础入门V8——CVE-2021-38001漏洞利用
- 二进制漏洞-初探内核漏洞:HEVD学习笔记——UAF
- Pwn-glibc高版本堆题攻击之safe unlink
www.yxfzedu.com是一个分享游戏安全,游戏外挂与反外挂,游戏驱动保护的视频网站!
接各种驱动定制如:游戏读写驱动,软件内存保护,防止调试等功能定制。
出租读写驱动,调试驱动,无痕注入支持各种游戏。
邮箱:service@yxfzedu.com
QQ:851920120
特别说明:不接游戏数据分析,外挂编写,登陆协议等类似业务。
接各种驱动定制如:游戏读写驱动,软件内存保护,防止调试等功能定制。
出租读写驱动,调试驱动,无痕注入支持各种游戏。
邮箱:service@yxfzedu.com
QQ:851920120
特别说明:不接游戏数据分析,外挂编写,登陆协议等类似业务。