-
-
[原创]2022DASCTF Apr X FATE 防疫挑战赛-Reverse-奇怪的交易
-
发表于: 2022-7-18 09:35 10068
-
那天做了挺久,最后终于搞出来了:)
1.放到ida中判断出该文件使用pyinstaller打包
2.使用pyinstxtractor对exe进行反编译
3.得到奇怪的交易.pyc和PYZ-00.pyz_extracted文件夹中的pyc文件
4.反编译pyimod00_crypto_key.pyc,得到pyc.encrypted加密密钥为0000000000000tea
5.使用tinyaes对cup.pyc.encrypted进行解密,得到解密后的pyc
6.反编译奇怪的交易.pyc和cup.pyc,得到main函数和encrypt函数。判断出加密函数为xxtea加密算法,得到加密的密文和密钥。
main函数不完整,但是猜测bbb就是xxtea加密后的密文,[54,54,54,54]就是密钥。
cup.py文件源码:
反编译奇怪的交易.py文件源码:(源码不完整)
7.对密文进行解密,得到flag变换后的明文
8.根据代码flag = str( pow(m, pub_key[1], pub_key[0]))等价与求RSA解密后明文。通过pub_key的值发现e和n非常大且十分接近,那么可以利用RSA的维纳攻击直接解出flag。
工具来源:
https://github.com/extremecoders-re/pyinstxtractor
https://tool.lu/pyc/
https://github.com/pablocelayes/rsa-wiener-attack
#!/usr/bin/env python
key
=
'0000000000000tea'
#!/usr/bin/env python
key
=
'0000000000000tea'
#!/usr/bin/env python3
import
tinyaes
import
zlib
CRYPT_BLOCK_SIZE
=
16
# key obtained from pyimod00_crypto_key
key
=
bytes(
'0000000000000tea'
,
'utf-8'
)
inf
=
open
(
'cup.pyc.encrypted'
,
'rb'
)
# encrypted file input
outf
=
open
(
'cup310.pyc'
,
'wb'
)
# output file
# Initialization vector
iv
=
inf.read(CRYPT_BLOCK_SIZE)
cipher
=
tinyaes.AES(key, iv)
# Decrypt and decompress
plaintext
=
zlib.decompress(cipher.CTR_xcrypt_buffer(inf.read()))
# Write pyc header
# The header below is for Python 3.10
outf.write(b
'\x6f\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0'
)
# Write decrypted data
outf.write(plaintext)
inf.close()
outf.close()
#!/usr/bin/env python3
import
tinyaes
import
zlib
CRYPT_BLOCK_SIZE
=
16
# key obtained from pyimod00_crypto_key
key
=
bytes(
'0000000000000tea'
,
'utf-8'
)
inf
=
open
(
'cup.pyc.encrypted'
,
'rb'
)
# encrypted file input
outf
=
open
(
'cup310.pyc'
,
'wb'
)
# output file
# Initialization vector
iv
=
inf.read(CRYPT_BLOCK_SIZE)
cipher
=
tinyaes.AES(key, iv)
# Decrypt and decompress
plaintext
=
zlib.decompress(cipher.CTR_xcrypt_buffer(inf.read()))
# Write pyc header
# The header below is for Python 3.10
outf.write(b
'\x6f\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0'
)
# Write decrypted data
outf.write(plaintext)
inf.close()
outf.close()
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
import
libnum
from
ctypes
import
*
def
MX(z, y, total, key, p, e):
temp1
=
(z.value >>
5
^ y.value <<
2
)
+
(y.value >>
3
^ z.value <<
4
)
temp2
=
(total.value ^ y.value)
+
(key[p &
3
^ e.value] ^ z.value)
return
c_uint32(temp1 ^ temp2)
def
encrypt(v, k, z):
delte
=
0x9E3779B9L
ᘛ
=
6
+
52
/
/
v
total
=
c_uint32(
0
)
ᘔ
=
c_uint32(k[v
-
1
])
ᘕ
=
c_uint32(
0
)
if
ᘛ >
0
:
total.value
+
=
delte
ᘕ.value
=
total.value >>
2
&
3
ᘚ
=
c_uint32(k[
0
])
k[v
-
1
]
=
c_uint32(k[v
-
1
]
+
MX(ᘔ, ᘚ, total, z, v
-
1
, ᘕ).value).value
ᘔ.value
=
k[v
-
1
]
ᘛ
-
=
1
if
not
ᘛ >
0
:
return
k
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
import
libnum
from
ctypes
import
*
def
MX(z, y, total, key, p, e):
temp1
=
(z.value >>
5
^ y.value <<
2
)
+
(y.value >>
3
^ z.value <<
4
)
temp2
=
(total.value ^ y.value)
+
(key[p &
3
^ e.value] ^ z.value)
return
c_uint32(temp1 ^ temp2)
def
encrypt(v, k, z):
delte
=
0x9E3779B9L
ᘛ
=
6
+
52
/
/
v
total
=
c_uint32(
0
)
ᘔ
=
c_uint32(k[v
-
1
])
ᘕ
=
c_uint32(
0
)
if
ᘛ >
0
:
total.value
+
=
delte
ᘕ.value
=
total.value >>
2
&
3
ᘚ
=
c_uint32(k[
0
])
k[v
-
1
]
=
c_uint32(k[v
-
1
]
+
MX(ᘔ, ᘚ, total, z, v
-
1
, ᘕ).value).value
ᘔ.value
=
k[v
-
1
]
ᘛ
-
=
1
if
not
ᘛ >
0
:
return
k
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
from
cup
import
*
if
__name__
=
=
'__main__'
:
flag
=
input
(
'\xe8\xaf\xb7\xe8\xbe\x93\xe5\x85\xa5flag'
)
pub_key
=
[
0x649EE967E7916A825CC9FD3320BEABF263BEAC68C080F52824A0F521EDB6B78577EC52BF1C9E78F4BB71192F9A23F1A17AA76E5979E4D953329D3CA65FB4A71DA57412B59DFD6AEDF0191C5555D3E5F582B81B5E6B23163E9889204A81AFFDF119FE25C92F4ED59BD3285BCD7AAE14824240D2E33C5A97848F4EB7AAC203DE6330D2B4D8FF61691544FBECD120F99A157B3D2F58FA51B2887A9D06CA383C44D071314A12B17928B96F03A06E959A5AFEFA0183664F52CD32B9FC72A04B45913FCB2D5D2D3A415A14F611CF1EAC2D6C785142A8E9CC41B67A6CD85001B06EDB8CA767D367E56E0AE651491BF8A8C17A38A1835DB9E4A9292B1D86D5776C98CC25
,
0x647327833ACFEF1F9C83E74E171FC300FA347D4A6769476C33DA82C95120ACB38B62B33D429206FE6E9BB0BB7AB748A1036971BEA36EC47130B749C1C9FF6FE03D0F7D9FC5346EB0E575BDFA6C530AA57CD676894FC080D2DD049AB59625F4B9C78BCFD95CDCD2793E440E26E189D251121CB6EB177FEDB596409034E8B0C5BBD9BD9342235DBB226C9170EFE347FF0FD2CFF9A1F7B647CC83E4D8F005FD7125A89251C768AFE70BDD54B88116814D5030F499BCAC4673CCCC342FB4B6AC58EA5A64546DC25912B6C430529F6A7F449FD96536DE269D1A1B015A4AC6B6E46EE19DCE8143726A6503E290E4BAE6BD78319B5878981F6CFFDB3B818209341FD68B
]
m
=
libnum.s2n(flag)
c
=
str
(
pow
(m, pub_key[
1
], pub_key[
0
]))
aaa
=
[]
bbb
=
[
0xD28ED952
,
1472742623
,
0xD91BA938
,
0xF9F3BD2D
,
0x8EF8E43D
,
617653972
,
1474514999
,
1471783658
,
1012864704
,
0xD7821910
,
993855884
,
438456717
,
0xC83555B7
,
0xE8DFF468
,
198959101
,
0xC5B84FEB
,
0xD9F837C6
,
613157871
,
0x8EFA4EDD
,
97286225
,
0x8B4B608C
,
1471645170
,
0xC0B62792
,
583597118
,
0xAAB1C22D
,
0xBDB9C266
,
1384330715
,
0xAE9F9816
,
0xD1F40B3C
,
0x8206DDC3
,
0xC4E0BADC
,
0xE407BD26
,
145643141
,
0x8016C6A5
,
0xAF4AB9D3
,
506798154
,
994590281
,
0x85082A0B
,
0xCA0BC95A
,
0xA7BE567C
,
1105937096
,
1789727804
,
0xDFEFB591
,
0x93346B38
,
1162286478
,
680814033
,
0xAEE1A7A2
,
0x80E574AE
,
0xF154F55F
,
2121620700
,
0xFCBDA653
,
0x8E902444
,
0xCA742E12
,
0xB8424071
,
0xB4B15EC2
,
0x943BFA09
,
0xBC97CD93
,
1285603712
,
798920280
,
0x8B58328F
,
0xF9822360
,
0xD1FD15EE
,
1077514121
,
1436444106
,
0xA2D6C17E
,
1507202797
,
500756149
,
198754565
,
0x8E014807
,
880454148
,
1970517398
,
0xBFC6EE25
,
1161840191
,
560498076
,
1782600856
,
0x9D93FEBE
,
1285196205
,
788797746
,
1195724574
,
0xF2174A07
,
103427523
,
0x952BFE83
,
0xF730AC4C
,
617564657
,
978211984
,
1781482121
,
0x8379D23A
,
0xEAD737EE
,
0xE41555FB
,
659557668
,
0x99F3B244
,
1561884856
,
0x842C31A4
,
1189296962
,
169145316
,
0xA5CE044C
,
1323893433
,
824667876
,
408202876
,
0xE0178482
,
0xF412BBBC
,
1508996065
,
162419237
,
0xDE740B00
,
0xB7CB64FD
,
0xEBCADB1F
,
0x8EAE2326
,
0x933C216C
,
0xD7D1F649
,
481927014
,
0xA448AC16
,
0xBC082807
,
1261069441
,
2063238535
,
0x8474A61D
,
101459755
,
0xBC5654D1
,
1721190841
,
1078395785
,
176506553
,
0xD3C5280F
,
1566142515
,
1938949000
,
1499289517
,
0xC59872F8
,
829714860
,
0xE51502A2
,
952932374
,
1283577465
,
2045007203
,
0xEBE6A798
,
0xE09575CD
,
0xADDF4157
,
0xC4770191
,
482297421
,
1734231412
,
0xDAC71054
,
0x99807E43
,
0xA88D74B1
,
0xCB77E028
,
1533519803
,
0xEEEBC3B6
,
0xE7E680E5
,
272960248
,
317508587
,
0xC4B10CDC
,
0x91776399
,
27470488
,
1666674386
,
1737927609
,
750987808
,
0x8E364D8F
,
0xA0985A77
,
562925334
,
0x837D6DC3
]
i
=
0
if
i <
len
(c):
ᘞ
=
0
aaa.append(ᘞ)
i
+
=
4
if
not
i < en(c):
ᘝ
=
[
54
,
54
,
54
,
54
]
ccc
=
len
(aaa)
res
=
encrypt(ccc, aaa, ᘝ)
if
aaa
=
=
bbb:
print
(
'You are right!'
)
input
('')
quit()
print
(
'Why not drink a cup of tea and have a rest?'
)
continue
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
from
cup
import
*
if
__name__
=
=
'__main__'
:
flag
=
input
(
'\xe8\xaf\xb7\xe8\xbe\x93\xe5\x85\xa5flag'
)
pub_key
=
[
0x649EE967E7916A825CC9FD3320BEABF263BEAC68C080F52824A0F521EDB6B78577EC52BF1C9E78F4BB71192F9A23F1A17AA76E5979E4D953329D3CA65FB4A71DA57412B59DFD6AEDF0191C5555D3E5F582B81B5E6B23163E9889204A81AFFDF119FE25C92F4ED59BD3285BCD7AAE14824240D2E33C5A97848F4EB7AAC203DE6330D2B4D8FF61691544FBECD120F99A157B3D2F58FA51B2887A9D06CA383C44D071314A12B17928B96F03A06E959A5AFEFA0183664F52CD32B9FC72A04B45913FCB2D5D2D3A415A14F611CF1EAC2D6C785142A8E9CC41B67A6CD85001B06EDB8CA767D367E56E0AE651491BF8A8C17A38A1835DB9E4A9292B1D86D5776C98CC25
,
0x647327833ACFEF1F9C83E74E171FC300FA347D4A6769476C33DA82C95120ACB38B62B33D429206FE6E9BB0BB7AB748A1036971BEA36EC47130B749C1C9FF6FE03D0F7D9FC5346EB0E575BDFA6C530AA57CD676894FC080D2DD049AB59625F4B9C78BCFD95CDCD2793E440E26E189D251121CB6EB177FEDB596409034E8B0C5BBD9BD9342235DBB226C9170EFE347FF0FD2CFF9A1F7B647CC83E4D8F005FD7125A89251C768AFE70BDD54B88116814D5030F499BCAC4673CCCC342FB4B6AC58EA5A64546DC25912B6C430529F6A7F449FD96536DE269D1A1B015A4AC6B6E46EE19DCE8143726A6503E290E4BAE6BD78319B5878981F6CFFDB3B818209341FD68B
]
m
=
libnum.s2n(flag)
c
=
str
(
pow
(m, pub_key[
1
], pub_key[
0
]))
aaa
=
[]
bbb
=
[
0xD28ED952
,
1472742623
,
0xD91BA938
,
0xF9F3BD2D
,
0x8EF8E43D
,
617653972
,
1474514999
,
1471783658
,
1012864704
,
0xD7821910
,
993855884
,
438456717
,
0xC83555B7
,
0xE8DFF468
,
198959101
,
0xC5B84FEB
,
0xD9F837C6
,
613157871
,
0x8EFA4EDD
,
97286225
,
0x8B4B608C
,
1471645170
,
0xC0B62792
,
583597118
,
0xAAB1C22D
,
0xBDB9C266
,
1384330715
,
0xAE9F9816
,
0xD1F40B3C
,
0x8206DDC3
,
0xC4E0BADC
,
0xE407BD26
,
145643141
,
0x8016C6A5
,
0xAF4AB9D3
,
506798154
,
994590281
,
0x85082A0B
,
0xCA0BC95A
,
0xA7BE567C
,
1105937096
,
1789727804
,
0xDFEFB591
,
0x93346B38
,
1162286478
,
680814033
,
0xAEE1A7A2
,
0x80E574AE
,
0xF154F55F
,
2121620700
,
0xFCBDA653
,
0x8E902444
,
0xCA742E12
,
0xB8424071
,
0xB4B15EC2
,
0x943BFA09
,
0xBC97CD93
,
1285603712
,
798920280
,
0x8B58328F
,
0xF9822360
,
0xD1FD15EE
,
1077514121
,
1436444106
,
0xA2D6C17E
,
1507202797
,
500756149
,
198754565
,
0x8E014807
,
880454148
,
1970517398
,
0xBFC6EE25
,
1161840191
,
560498076
,
1782600856
,
0x9D93FEBE
,
1285196205
,
788797746
,
1195724574
,
0xF2174A07
,
103427523
,
0x952BFE83
,
0xF730AC4C
,
617564657
,
978211984
,
1781482121
,
0x8379D23A
,
0xEAD737EE
,
0xE41555FB
,
659557668
,
0x99F3B244
,
1561884856
,
0x842C31A4
,
1189296962
,
169145316
,
0xA5CE044C
,
1323893433
,
824667876
,
408202876
,
0xE0178482
,
0xF412BBBC
,
1508996065
,
162419237
,
0xDE740B00
,
0xB7CB64FD
,
0xEBCADB1F
,
0x8EAE2326
,
0x933C216C
,
0xD7D1F649
,
481927014
,
0xA448AC16
,
0xBC082807
,
1261069441
,
2063238535
,
0x8474A61D
,
101459755
,
0xBC5654D1
,
1721190841
,
1078395785
,
176506553
,
0xD3C5280F
,
1566142515
,
1938949000
,
1499289517
,
0xC59872F8
,
829714860
,
0xE51502A2
,
952932374
,
1283577465
,
2045007203
,
0xEBE6A798
,
0xE09575CD
,
0xADDF4157
,
0xC4770191
,
482297421
,
1734231412
,
0xDAC71054
,
0x99807E43
,
0xA88D74B1
,
0xCB77E028
,
1533519803
,
0xEEEBC3B6
,
0xE7E680E5
,
272960248
,
317508587
,
0xC4B10CDC
,
0x91776399
,
27470488
,
1666674386
,
1737927609
,
750987808
,
0x8E364D8F
,
0xA0985A77
,
562925334
,
0x837D6DC3
]
i
=
0
if
i <
len
(c):
ᘞ
=
0
aaa.append(ᘞ)
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
最后于 2022-7-18 20:42
被XUNVVAY编辑
,原因: 添加标题
赞赏记录
参与人
雪币
留言
时间
伟叔叔
为你点赞~
2023-3-18 01:52
一笑人间万事
为你点赞~
2023-1-12 02:54
狗敦子
为你点赞~
2022-10-28 21:30
XUNVVAY
为你点赞~
2022-7-19 19:38
赞赏
看原图
赞赏
雪币:
留言: