首页
社区
课程
招聘
[原创]2022DASCTF Apr X FATE 防疫挑战赛-Reverse-奇怪的交易
发表于: 2022-7-18 09:35 10068

[原创]2022DASCTF Apr X FATE 防疫挑战赛-Reverse-奇怪的交易

2022-7-18 09:35
10068

那天做了挺久,最后终于搞出来了:)
1.放到ida中判断出该文件使用pyinstaller打包
2.使用pyinstxtractor对exe进行反编译
3.得到奇怪的交易.pyc和PYZ-00.pyz_extracted文件夹中的pyc文件
4.反编译pyimod00_crypto_key.pyc,得到pyc.encrypted加密密钥为0000000000000tea

5.使用tinyaes对cup.pyc.encrypted进行解密,得到解密后的pyc

6.反编译奇怪的交易.pyc和cup.pyc,得到main函数和encrypt函数。判断出加密函数为xxtea加密算法,得到加密的密文和密钥。
main函数不完整,但是猜测bbb就是xxtea加密后的密文,[54,54,54,54]就是密钥。
cup.py文件源码:

反编译奇怪的交易.py文件源码:(源码不完整)

7.对密文进行解密,得到flag变换后的明文

8.根据代码flag = str( pow(m, pub_key[1], pub_key[0]))等价与求RSA解密后明文。通过pub_key的值发现e和n非常大且十分接近,那么可以利用RSA的维纳攻击直接解出flag。

工具来源:
https://github.com/extremecoders-re/pyinstxtractor
https://tool.lu/pyc/
https://github.com/pablocelayes/rsa-wiener-attack

#!/usr/bin/env python
key = '0000000000000tea'
#!/usr/bin/env python
key = '0000000000000tea'
#!/usr/bin/env python3
import tinyaes
import zlib
CRYPT_BLOCK_SIZE = 16
 
# key obtained from pyimod00_crypto_key
key = bytes('0000000000000tea', 'utf-8')
 
inf = open('cup.pyc.encrypted', 'rb') # encrypted file input
outf = open('cup310.pyc', 'wb') # output file
 
# Initialization vector
iv = inf.read(CRYPT_BLOCK_SIZE)
 
cipher = tinyaes.AES(key, iv)
 
# Decrypt and decompress
plaintext = zlib.decompress(cipher.CTR_xcrypt_buffer(inf.read()))
 
# Write pyc header
# The header below is for Python 3.10
outf.write(b'\x6f\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0')
# Write decrypted data
outf.write(plaintext)
 
inf.close()
outf.close()
#!/usr/bin/env python3
import tinyaes
import zlib
CRYPT_BLOCK_SIZE = 16
 
# key obtained from pyimod00_crypto_key
key = bytes('0000000000000tea', 'utf-8')
 
inf = open('cup.pyc.encrypted', 'rb') # encrypted file input
outf = open('cup310.pyc', 'wb') # output file
 
# Initialization vector
iv = inf.read(CRYPT_BLOCK_SIZE)
 
cipher = tinyaes.AES(key, iv)
 
# Decrypt and decompress
plaintext = zlib.decompress(cipher.CTR_xcrypt_buffer(inf.read()))
 
# Write pyc header
# The header below is for Python 3.10
outf.write(b'\x6f\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0')
# Write decrypted data
outf.write(plaintext)
 
inf.close()
outf.close()
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
import libnum
from ctypes import *
 
def MX(z, y, total, key, p, e):
    temp1 = (z.value >> 5 ^ y.value << 2) + (y.value >> 3 ^ z.value << 4)
    temp2 = (total.value ^ y.value) + (key[p & 3 ^ e.value] ^ z.value)
    return c_uint32(temp1 ^ temp2)
 
 
def encrypt(v, k, z):
    delte = 0x9E3779B9L
    = 6 + 52 // v
    total = c_uint32(0)
    = c_uint32(k[v - 1])
    = c_uint32(0)
    if ᘛ > 0:
        total.value += delte
        ᘕ.value = total.value >> 2 & 3
        = c_uint32(k[0])
        k[v - 1] = c_uint32(k[v - 1] + MX(ᘔ, ᘚ, total, z, v - 1, ᘕ).value).value
        ᘔ.value = k[v - 1]
        -= 1
        if not ᘛ > 0:
            return k
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
import libnum
from ctypes import *
 
def MX(z, y, total, key, p, e):
    temp1 = (z.value >> 5 ^ y.value << 2) + (y.value >> 3 ^ z.value << 4)
    temp2 = (total.value ^ y.value) + (key[p & 3 ^ e.value] ^ z.value)
    return c_uint32(temp1 ^ temp2)
 
 
def encrypt(v, k, z):
    delte = 0x9E3779B9L
    = 6 + 52 // v
    total = c_uint32(0)
    = c_uint32(k[v - 1])
    = c_uint32(0)
    if ᘛ > 0:
        total.value += delte
        ᘕ.value = total.value >> 2 & 3
        = c_uint32(k[0])
        k[v - 1] = c_uint32(k[v - 1] + MX(ᘔ, ᘚ, total, z, v - 1, ᘕ).value).value
        ᘔ.value = k[v - 1]
        -= 1
        if not ᘛ > 0:
            return k
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
from cup import *
if __name__ == '__main__':
    flag = input('\xe8\xaf\xb7\xe8\xbe\x93\xe5\x85\xa5flag')
    pub_key = [
        0x649EE967E7916A825CC9FD3320BEABF263BEAC68C080F52824A0F521EDB6B78577EC52BF1C9E78F4BB71192F9A23F1A17AA76E5979E4D953329D3CA65FB4A71DA57412B59DFD6AEDF0191C5555D3E5F582B81B5E6B23163E9889204A81AFFDF119FE25C92F4ED59BD3285BCD7AAE14824240D2E33C5A97848F4EB7AAC203DE6330D2B4D8FF61691544FBECD120F99A157B3D2F58FA51B2887A9D06CA383C44D071314A12B17928B96F03A06E959A5AFEFA0183664F52CD32B9FC72A04B45913FCB2D5D2D3A415A14F611CF1EAC2D6C785142A8E9CC41B67A6CD85001B06EDB8CA767D367E56E0AE651491BF8A8C17A38A1835DB9E4A9292B1D86D5776C98CC25,
        0x647327833ACFEF1F9C83E74E171FC300FA347D4A6769476C33DA82C95120ACB38B62B33D429206FE6E9BB0BB7AB748A1036971BEA36EC47130B749C1C9FF6FE03D0F7D9FC5346EB0E575BDFA6C530AA57CD676894FC080D2DD049AB59625F4B9C78BCFD95CDCD2793E440E26E189D251121CB6EB177FEDB596409034E8B0C5BBD9BD9342235DBB226C9170EFE347FF0FD2CFF9A1F7B647CC83E4D8F005FD7125A89251C768AFE70BDD54B88116814D5030F499BCAC4673CCCC342FB4B6AC58EA5A64546DC25912B6C430529F6A7F449FD96536DE269D1A1B015A4AC6B6E46EE19DCE8143726A6503E290E4BAE6BD78319B5878981F6CFFDB3B818209341FD68B]
    m = libnum.s2n(flag)
    c = str(pow(m, pub_key[1], pub_key[0]))
    aaa = []
    bbb = [
        0xD28ED952,
        1472742623,
        0xD91BA938,
        0xF9F3BD2D,
        0x8EF8E43D,
        617653972,
        1474514999,
        1471783658,
        1012864704,
        0xD7821910,
        993855884,
        438456717,
        0xC83555B7,
        0xE8DFF468,
        198959101,
        0xC5B84FEB,
        0xD9F837C6,
        613157871,
        0x8EFA4EDD,
        97286225,
        0x8B4B608C,
        1471645170,
        0xC0B62792,
        583597118,
        0xAAB1C22D,
        0xBDB9C266,
        1384330715,
        0xAE9F9816,
        0xD1F40B3C,
        0x8206DDC3,
        0xC4E0BADC,
        0xE407BD26,
        145643141,
        0x8016C6A5,
        0xAF4AB9D3,
        506798154,
        994590281,
        0x85082A0B,
        0xCA0BC95A,
        0xA7BE567C,
        1105937096,
        1789727804,
        0xDFEFB591,
        0x93346B38,
        1162286478,
        680814033,
        0xAEE1A7A2,
        0x80E574AE,
        0xF154F55F,
        2121620700,
        0xFCBDA653,
        0x8E902444,
        0xCA742E12,
        0xB8424071,
        0xB4B15EC2,
        0x943BFA09,
        0xBC97CD93,
        1285603712,
        798920280,
        0x8B58328F,
        0xF9822360,
        0xD1FD15EE,
        1077514121,
        1436444106,
        0xA2D6C17E,
        1507202797,
        500756149,
        198754565,
        0x8E014807,
        880454148,
        1970517398,
        0xBFC6EE25,
        1161840191,
        560498076,
        1782600856,
        0x9D93FEBE,
        1285196205,
        788797746,
        1195724574,
        0xF2174A07,
        103427523,
        0x952BFE83,
        0xF730AC4C,
        617564657,
        978211984,
        1781482121,
        0x8379D23A,
        0xEAD737EE,
        0xE41555FB,
        659557668,
        0x99F3B244,
        1561884856,
        0x842C31A4,
        1189296962,
        169145316,
        0xA5CE044C,
        1323893433,
        824667876,
        408202876,
        0xE0178482,
        0xF412BBBC,
        1508996065,
        162419237,
        0xDE740B00,
        0xB7CB64FD,
        0xEBCADB1F,
        0x8EAE2326,
        0x933C216C,
        0xD7D1F649,
        481927014,
        0xA448AC16,
        0xBC082807,
        1261069441,
        2063238535,
        0x8474A61D,
        101459755,
        0xBC5654D1,
        1721190841,
        1078395785,
        176506553,
        0xD3C5280F,
        1566142515,
        1938949000,
        1499289517,
        0xC59872F8,
        829714860,
        0xE51502A2,
        952932374,
        1283577465,
        2045007203,
        0xEBE6A798,
        0xE09575CD,
        0xADDF4157,
        0xC4770191,
        482297421,
        1734231412,
        0xDAC71054,
        0x99807E43,
        0xA88D74B1,
        0xCB77E028,
        1533519803,
        0xEEEBC3B6,
        0xE7E680E5,
        272960248,
        317508587,
        0xC4B10CDC,
        0x91776399,
        27470488,
        1666674386,
        1737927609,
        750987808,
        0x8E364D8F,
        0xA0985A77,
        562925334,
        0x837D6DC3]
    i = 0
    if i < len(c):
        = 0
        aaa.append(ᘞ)
        i += 4
        if not i < en(c):
            = [
                54,
                54,
                54,
                54]
            ccc = len(aaa)
            res = encrypt(ccc, aaa, ᘝ)
            if aaa == bbb:
                print('You are right!')
                input('')
                quit()
 
print('Why not drink a cup of tea and have a rest?')
continue
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
from cup import *
if __name__ == '__main__':
    flag = input('\xe8\xaf\xb7\xe8\xbe\x93\xe5\x85\xa5flag')
    pub_key = [
        0x649EE967E7916A825CC9FD3320BEABF263BEAC68C080F52824A0F521EDB6B78577EC52BF1C9E78F4BB71192F9A23F1A17AA76E5979E4D953329D3CA65FB4A71DA57412B59DFD6AEDF0191C5555D3E5F582B81B5E6B23163E9889204A81AFFDF119FE25C92F4ED59BD3285BCD7AAE14824240D2E33C5A97848F4EB7AAC203DE6330D2B4D8FF61691544FBECD120F99A157B3D2F58FA51B2887A9D06CA383C44D071314A12B17928B96F03A06E959A5AFEFA0183664F52CD32B9FC72A04B45913FCB2D5D2D3A415A14F611CF1EAC2D6C785142A8E9CC41B67A6CD85001B06EDB8CA767D367E56E0AE651491BF8A8C17A38A1835DB9E4A9292B1D86D5776C98CC25,
        0x647327833ACFEF1F9C83E74E171FC300FA347D4A6769476C33DA82C95120ACB38B62B33D429206FE6E9BB0BB7AB748A1036971BEA36EC47130B749C1C9FF6FE03D0F7D9FC5346EB0E575BDFA6C530AA57CD676894FC080D2DD049AB59625F4B9C78BCFD95CDCD2793E440E26E189D251121CB6EB177FEDB596409034E8B0C5BBD9BD9342235DBB226C9170EFE347FF0FD2CFF9A1F7B647CC83E4D8F005FD7125A89251C768AFE70BDD54B88116814D5030F499BCAC4673CCCC342FB4B6AC58EA5A64546DC25912B6C430529F6A7F449FD96536DE269D1A1B015A4AC6B6E46EE19DCE8143726A6503E290E4BAE6BD78319B5878981F6CFFDB3B818209341FD68B]
    m = libnum.s2n(flag)
    c = str(pow(m, pub_key[1], pub_key[0]))
    aaa = []
    bbb = [
        0xD28ED952,
        1472742623,
        0xD91BA938,
        0xF9F3BD2D,
        0x8EF8E43D,
        617653972,
        1474514999,
        1471783658,
        1012864704,
        0xD7821910,
        993855884,
        438456717,
        0xC83555B7,
        0xE8DFF468,
        198959101,
        0xC5B84FEB,
        0xD9F837C6,
        613157871,
        0x8EFA4EDD,
        97286225,
        0x8B4B608C,
        1471645170,
        0xC0B62792,
        583597118,
        0xAAB1C22D,
        0xBDB9C266,
        1384330715,
        0xAE9F9816,
        0xD1F40B3C,
        0x8206DDC3,
        0xC4E0BADC,
        0xE407BD26,
        145643141,
        0x8016C6A5,
        0xAF4AB9D3,
        506798154,
        994590281,
        0x85082A0B,
        0xCA0BC95A,
        0xA7BE567C,
        1105937096,
        1789727804,
        0xDFEFB591,
        0x93346B38,
        1162286478,
        680814033,
        0xAEE1A7A2,
        0x80E574AE,
        0xF154F55F,
        2121620700,
        0xFCBDA653,
        0x8E902444,
        0xCA742E12,
        0xB8424071,
        0xB4B15EC2,
        0x943BFA09,
        0xBC97CD93,
        1285603712,
        798920280,
        0x8B58328F,
        0xF9822360,
        0xD1FD15EE,
        1077514121,
        1436444106,
        0xA2D6C17E,
        1507202797,
        500756149,
        198754565,
        0x8E014807,
        880454148,
        1970517398,
        0xBFC6EE25,
        1161840191,
        560498076,
        1782600856,
        0x9D93FEBE,
        1285196205,
        788797746,
        1195724574,
        0xF2174A07,
        103427523,
        0x952BFE83,
        0xF730AC4C,
        617564657,
        978211984,
        1781482121,
        0x8379D23A,
        0xEAD737EE,
        0xE41555FB,
        659557668,
        0x99F3B244,
        1561884856,
        0x842C31A4,
        1189296962,
        169145316,
        0xA5CE044C,
        1323893433,
        824667876,
        408202876,
        0xE0178482,
        0xF412BBBC,
        1508996065,
        162419237,
        0xDE740B00,
        0xB7CB64FD,
        0xEBCADB1F,
        0x8EAE2326,
        0x933C216C,
        0xD7D1F649,
        481927014,
        0xA448AC16,
        0xBC082807,
        1261069441,
        2063238535,
        0x8474A61D,
        101459755,
        0xBC5654D1,
        1721190841,
        1078395785,
        176506553,
        0xD3C5280F,
        1566142515,
        1938949000,
        1499289517,
        0xC59872F8,
        829714860,
        0xE51502A2,
        952932374,
        1283577465,
        2045007203,
        0xEBE6A798,
        0xE09575CD,
        0xADDF4157,
        0xC4770191,
        482297421,
        1734231412,
        0xDAC71054,
        0x99807E43,
        0xA88D74B1,
        0xCB77E028,
        1533519803,
        0xEEEBC3B6,
        0xE7E680E5,
        272960248,
        317508587,
        0xC4B10CDC,
        0x91776399,
        27470488,
        1666674386,
        1737927609,
        750987808,
        0x8E364D8F,
        0xA0985A77,
        562925334,
        0x837D6DC3]
    i = 0
    if i < len(c):
        = 0
        aaa.append(ᘞ)

[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)

最后于 2022-7-18 20:42 被XUNVVAY编辑 ,原因: 添加标题
收藏
免费 4
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//