-
-
[原创]2022DASCTF Apr X FATE 防疫挑战赛-Reverse-奇怪的交易
-
发表于: 2022-7-18 09:35 10085
-
那天做了挺久,最后终于搞出来了:)
1.放到ida中判断出该文件使用pyinstaller打包
2.使用pyinstxtractor对exe进行反编译
3.得到奇怪的交易.pyc和PYZ-00.pyz_extracted文件夹中的pyc文件
4.反编译pyimod00_crypto_key.pyc,得到pyc.encrypted加密密钥为0000000000000tea
5.使用tinyaes对cup.pyc.encrypted进行解密,得到解密后的pyc
6.反编译奇怪的交易.pyc和cup.pyc,得到main函数和encrypt函数。判断出加密函数为xxtea加密算法,得到加密的密文和密钥。
main函数不完整,但是猜测bbb就是xxtea加密后的密文,[54,54,54,54]就是密钥。
cup.py文件源码:
反编译奇怪的交易.py文件源码:(源码不完整)
7.对密文进行解密,得到flag变换后的明文
8.根据代码flag = str( pow(m, pub_key[1], pub_key[0]))等价与求RSA解密后明文。通过pub_key的值发现e和n非常大且十分接近,那么可以利用RSA的维纳攻击直接解出flag。
工具来源:
https://github.com/extremecoders-re/pyinstxtractor
https://tool.lu/pyc/
https://github.com/pablocelayes/rsa-wiener-attack
#!/usr/bin/env pythonkey = '0000000000000tea'
#!/usr/bin/env pythonkey = '0000000000000tea'
#!/usr/bin/env python3import tinyaes
import zlib
CRYPT_BLOCK_SIZE = 16
# key obtained from pyimod00_crypto_keykey = bytes('0000000000000tea', 'utf-8')
inf = open('cup.pyc.encrypted', 'rb') # encrypted file input
outf = open('cup310.pyc', 'wb') # output file
# Initialization vectoriv = inf.read(CRYPT_BLOCK_SIZE)
cipher = tinyaes.AES(key, iv)
# Decrypt and decompressplaintext = zlib.decompress(cipher.CTR_xcrypt_buffer(inf.read()))
# Write pyc header# The header below is for Python 3.10outf.write(b'\x6f\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0')
# Write decrypted dataoutf.write(plaintext)inf.close()outf.close()#!/usr/bin/env python3import tinyaes
import zlib
CRYPT_BLOCK_SIZE = 16
# key obtained from pyimod00_crypto_keykey = bytes('0000000000000tea', 'utf-8')
inf = open('cup.pyc.encrypted', 'rb') # encrypted file input
outf = open('cup310.pyc', 'wb') # output file
# Initialization vectoriv = inf.read(CRYPT_BLOCK_SIZE)
cipher = tinyaes.AES(key, iv)
# Decrypt and decompressplaintext = zlib.decompress(cipher.CTR_xcrypt_buffer(inf.read()))
# Write pyc header# The header below is for Python 3.10outf.write(b'\x6f\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0')
# Write decrypted dataoutf.write(plaintext)inf.close()outf.close()#!/usr/bin/env python# visit https://tool.lu/pyc/ for more informationimport libnum
from ctypes import *
def MX(z, y, total, key, p, e):
temp1 = (z.value >> 5 ^ y.value << 2) + (y.value >> 3 ^ z.value << 4)
temp2 = (total.value ^ y.value) + (key[p & 3 ^ e.value] ^ z.value)
return c_uint32(temp1 ^ temp2)
def encrypt(v, k, z):
delte = 0x9E3779B9L
ᘛ = 6 + 52 // v
total = c_uint32(0)
ᘔ = c_uint32(k[v - 1])
ᘕ = c_uint32(0)
if ᘛ > 0:
total.value += delte
ᘕ.value = total.value >> 2 & 3
ᘚ = c_uint32(k[0])
k[v - 1] = c_uint32(k[v - 1] + MX(ᘔ, ᘚ, total, z, v - 1, ᘕ).value).value
ᘔ.value = k[v - 1]
ᘛ -= 1
if not ᘛ > 0:
return k
#!/usr/bin/env python# visit https://tool.lu/pyc/ for more informationimport libnum
from ctypes import *
def MX(z, y, total, key, p, e):
temp1 = (z.value >> 5 ^ y.value << 2) + (y.value >> 3 ^ z.value << 4)
temp2 = (total.value ^ y.value) + (key[p & 3 ^ e.value] ^ z.value)
return c_uint32(temp1 ^ temp2)
def encrypt(v, k, z):
delte = 0x9E3779B9L
ᘛ = 6 + 52 // v
total = c_uint32(0)
ᘔ = c_uint32(k[v - 1])
ᘕ = c_uint32(0)
if ᘛ > 0:
total.value += delte
ᘕ.value = total.value >> 2 & 3
ᘚ = c_uint32(k[0])
k[v - 1] = c_uint32(k[v - 1] + MX(ᘔ, ᘚ, total, z, v - 1, ᘕ).value).value
ᘔ.value = k[v - 1]
ᘛ -= 1
if not ᘛ > 0:
return k
#!/usr/bin/env python# visit https://tool.lu/pyc/ for more informationfrom cup import *
if __name__ == '__main__':
flag = input('\xe8\xaf\xb7\xe8\xbe\x93\xe5\x85\xa5flag')
pub_key = [
0x649EE967E7916A825CC9FD3320BEABF263BEAC68C080F52824A0F521EDB6B78577EC52BF1C9E78F4BB71192F9A23F1A17AA76E5979E4D953329D3CA65FB4A71DA57412B59DFD6AEDF0191C5555D3E5F582B81B5E6B23163E9889204A81AFFDF119FE25C92F4ED59BD3285BCD7AAE14824240D2E33C5A97848F4EB7AAC203DE6330D2B4D8FF61691544FBECD120F99A157B3D2F58FA51B2887A9D06CA383C44D071314A12B17928B96F03A06E959A5AFEFA0183664F52CD32B9FC72A04B45913FCB2D5D2D3A415A14F611CF1EAC2D6C785142A8E9CC41B67A6CD85001B06EDB8CA767D367E56E0AE651491BF8A8C17A38A1835DB9E4A9292B1D86D5776C98CC25,
0x647327833ACFEF1F9C83E74E171FC300FA347D4A6769476C33DA82C95120ACB38B62B33D429206FE6E9BB0BB7AB748A1036971BEA36EC47130B749C1C9FF6FE03D0F7D9FC5346EB0E575BDFA6C530AA57CD676894FC080D2DD049AB59625F4B9C78BCFD95CDCD2793E440E26E189D251121CB6EB177FEDB596409034E8B0C5BBD9BD9342235DBB226C9170EFE347FF0FD2CFF9A1F7B647CC83E4D8F005FD7125A89251C768AFE70BDD54B88116814D5030F499BCAC4673CCCC342FB4B6AC58EA5A64546DC25912B6C430529F6A7F449FD96536DE269D1A1B015A4AC6B6E46EE19DCE8143726A6503E290E4BAE6BD78319B5878981F6CFFDB3B818209341FD68B]
m = libnum.s2n(flag)
c = str(pow(m, pub_key[1], pub_key[0]))
aaa = []
bbb = [
0xD28ED952,
1472742623,
0xD91BA938,
0xF9F3BD2D,
0x8EF8E43D,
617653972,
1474514999,
1471783658,
1012864704,
0xD7821910,
993855884,
438456717,
0xC83555B7,
0xE8DFF468,
198959101,
0xC5B84FEB,
0xD9F837C6,
613157871,
0x8EFA4EDD,
97286225,
0x8B4B608C,
1471645170,
0xC0B62792,
583597118,
0xAAB1C22D,
0xBDB9C266,
1384330715,
0xAE9F9816,
0xD1F40B3C,
0x8206DDC3,
0xC4E0BADC,
0xE407BD26,
145643141,
0x8016C6A5,
0xAF4AB9D3,
506798154,
994590281,
0x85082A0B,
0xCA0BC95A,
0xA7BE567C,
1105937096,
1789727804,
0xDFEFB591,
0x93346B38,
1162286478,
680814033,
0xAEE1A7A2,
0x80E574AE,
0xF154F55F,
2121620700,
0xFCBDA653,
0x8E902444,
0xCA742E12,
0xB8424071,
0xB4B15EC2,
0x943BFA09,
0xBC97CD93,
1285603712,
798920280,
0x8B58328F,
0xF9822360,
0xD1FD15EE,
1077514121,
1436444106,
0xA2D6C17E,
1507202797,
500756149,
198754565,
0x8E014807,
880454148,
1970517398,
0xBFC6EE25,
1161840191,
560498076,
1782600856,
0x9D93FEBE,
1285196205,
788797746,
1195724574,
0xF2174A07,
103427523,
0x952BFE83,
0xF730AC4C,
617564657,
978211984,
1781482121,
0x8379D23A,
0xEAD737EE,
0xE41555FB,
659557668,
0x99F3B244,
1561884856,
0x842C31A4,
1189296962,
169145316,
0xA5CE044C,
1323893433,
824667876,
408202876,
0xE0178482,
0xF412BBBC,
1508996065,
162419237,
0xDE740B00,
0xB7CB64FD,
0xEBCADB1F,
0x8EAE2326,
0x933C216C,
0xD7D1F649,
481927014,
0xA448AC16,
0xBC082807,
1261069441,
2063238535,
0x8474A61D,
101459755,
0xBC5654D1,
1721190841,
1078395785,
176506553,
0xD3C5280F,
1566142515,
1938949000,
1499289517,
0xC59872F8,
829714860,
0xE51502A2,
952932374,
1283577465,
2045007203,
0xEBE6A798,
0xE09575CD,
0xADDF4157,
0xC4770191,
482297421,
1734231412,
0xDAC71054,
0x99807E43,
0xA88D74B1,
0xCB77E028,
1533519803,
0xEEEBC3B6,
0xE7E680E5,
272960248,
317508587,
0xC4B10CDC,
0x91776399,
27470488,
1666674386,
1737927609,
750987808,
0x8E364D8F,
0xA0985A77,
562925334,
0x837D6DC3]
i = 0
if i < len(c):
ᘞ = 0
aaa.append(ᘞ)
i += 4
if not i < en(c):
ᘝ = [
54,
54,
54,
54]
ccc = len(aaa)
res = encrypt(ccc, aaa, ᘝ)
if aaa == bbb:
print('You are right!')
input('')
quit()
print('Why not drink a cup of tea and have a rest?')
continue#!/usr/bin/env python# visit https://tool.lu/pyc/ for more informationfrom cup import *
if __name__ == '__main__':
flag = input('\xe8\xaf\xb7\xe8\xbe\x93\xe5\x85\xa5flag')
pub_key = [
0x649EE967E7916A825CC9FD3320BEABF263BEAC68C080F52824A0F521EDB6B78577EC52BF1C9E78F4BB71192F9A23F1A17AA76E5979E4D953329D3CA65FB4A71DA57412B59DFD6AEDF0191C5555D3E5F582B81B5E6B23163E9889204A81AFFDF119FE25C92F4ED59BD3285BCD7AAE14824240D2E33C5A97848F4EB7AAC203DE6330D2B4D8FF61691544FBECD120F99A157B3D2F58FA51B2887A9D06CA383C44D071314A12B17928B96F03A06E959A5AFEFA0183664F52CD32B9FC72A04B45913FCB2D5D2D3A415A14F611CF1EAC2D6C785142A8E9CC41B67A6CD85001B06EDB8CA767D367E56E0AE651491BF8A8C17A38A1835DB9E4A9292B1D86D5776C98CC25,
0x647327833ACFEF1F9C83E74E171FC300FA347D4A6769476C33DA82C95120ACB38B62B33D429206FE6E9BB0BB7AB748A1036971BEA36EC47130B749C1C9FF6FE03D0F7D9FC5346EB0E575BDFA6C530AA57CD676894FC080D2DD049AB59625F4B9C78BCFD95CDCD2793E440E26E189D251121CB6EB177FEDB596409034E8B0C5BBD9BD9342235DBB226C9170EFE347FF0FD2CFF9A1F7B647CC83E4D8F005FD7125A89251C768AFE70BDD54B88116814D5030F499BCAC4673CCCC342FB4B6AC58EA5A64546DC25912B6C430529F6A7F449FD96536DE269D1A1B015A4AC6B6E46EE19DCE8143726A6503E290E4BAE6BD78319B5878981F6CFFDB3B818209341FD68B]
m = libnum.s2n(flag)
c = str(pow(m, pub_key[1], pub_key[0]))
aaa = []
bbb = [
0xD28ED952,
1472742623,
0xD91BA938,
0xF9F3BD2D,
0x8EF8E43D,
617653972,
1474514999,
1471783658,
1012864704,
0xD7821910,
993855884,
438456717,
0xC83555B7,
0xE8DFF468,
198959101,
0xC5B84FEB,
0xD9F837C6,
613157871,
0x8EFA4EDD,
97286225,
0x8B4B608C,
1471645170,
0xC0B62792,
583597118,
0xAAB1C22D,
0xBDB9C266,
1384330715,
0xAE9F9816,
0xD1F40B3C,
0x8206DDC3,
0xC4E0BADC,
0xE407BD26,
145643141,
0x8016C6A5,
0xAF4AB9D3,
506798154,
994590281,
0x85082A0B,
0xCA0BC95A,
0xA7BE567C,
1105937096,
1789727804,
0xDFEFB591,
0x93346B38,
1162286478,
680814033,
0xAEE1A7A2,
0x80E574AE,
0xF154F55F,
2121620700,
0xFCBDA653,
0x8E902444,
0xCA742E12,
0xB8424071,
0xB4B15EC2,
0x943BFA09,
0xBC97CD93,
1285603712,
798920280,
0x8B58328F,
0xF9822360,
0xD1FD15EE,
1077514121,
1436444106,
0xA2D6C17E,
1507202797,
500756149,
198754565,
0x8E014807,
880454148,
1970517398,
0xBFC6EE25,
1161840191,
560498076,
1782600856,
0x9D93FEBE,
1285196205,
788797746,
1195724574,
0xF2174A07,
103427523,
0x952BFE83,
0xF730AC4C,
617564657,
978211984,
1781482121,
0x8379D23A,
0xEAD737EE,
0xE41555FB,
659557668,
0x99F3B244,
1561884856,
0x842C31A4,
1189296962,
169145316,
0xA5CE044C,
1323893433,
824667876,
408202876,
0xE0178482,
0xF412BBBC,
1508996065,
162419237,
0xDE740B00,
0xB7CB64FD,
0xEBCADB1F,
0x8EAE2326,
0x933C216C,
0xD7D1F649,
481927014,
0xA448AC16,
0xBC082807,
1261069441,
2063238535,
0x8474A61D,
101459755,
0xBC5654D1,
1721190841,
1078395785,
176506553,
0xD3C5280F,
1566142515,
1938949000,
1499289517,
0xC59872F8,
829714860,
0xE51502A2,
952932374,
1283577465,
2045007203,
0xEBE6A798,
0xE09575CD,
0xADDF4157,
0xC4770191,
482297421,
1734231412,
0xDAC71054,
0x99807E43,
0xA88D74B1,
0xCB77E028,
1533519803,
0xEEEBC3B6,
0xE7E680E5,
272960248,
317508587,
0xC4B10CDC,
0x91776399,
27470488,
1666674386,
1737927609,
750987808,
0x8E364D8F,
0xA0985A77,
562925334,
0x837D6DC3]
i = 0
if i < len(c):
ᘞ = 0
aaa.append(ᘞ)
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2022-7-18 20:42
被XUNVVAY编辑
,原因: 添加标题
赞赏记录
参与人
雪币
留言
时间
伟叔叔
为你点赞~
2023-3-18 01:52
一笑人间万事
为你点赞~
2023-1-12 02:54
狗敦子
为你点赞~
2022-10-28 21:30
XUNVVAY
为你点赞~
2022-7-19 19:38
赞赏
|
|
|---|---|
|
|
赞赏
雪币:
留言:
