DASCTF X GFCTF 2022十月挑战赛!
贪玩CTF
TLS回调函数中有反调试
动调发现AES特征,账号就是key,用ECB直接解
先拿name
enc=[0x04, 0x1F, 0x1F, 0x1E, 0x43, 0x4B, 0x43, 0x45, 0x44, 0x00, 0x16, 0x10, 0x55, 0x17, 0x12, 0x73]
for i in range(15):
enc[i]^=enc[15]
print(bytes(enc))
#b'wllm08067sec&das'
key是name_input
enc=[0x3C, 0x97, 0x72, 0x96, 0x5A, 0x33, 0x63, 0x9C, 0x97, 0x30, 0x4D, 0x90, 0x84, 0xE8, 0x5F, 0x56]
c=bytes(enc)
from Crypto.Cipher import AES
key=b'wllm08067sec&das'
my_aes = AES.new(key, AES.MODE_ECB)
m=my_aes.decrypt(c)
print(m)#b'e4deb7a6510a10f7'
DASCTF{wllm08067sec&dase4deb7a6510a10f7}
pycode
看了半天python字节码,恢复一部分后发现,在网上有类似题
搜extract_number,找到题目[(116条消息) SUCTF2019]MT(MT19937:逆向 extract_number)_宁嘉的博客-CSDN博客_mt19937算法
直接拿脚本改下
#python3
from Crypto.Random import random
from Crypto.Util import number
def convert(x):
x=x^(x>>11)
x=((x<<7)&2022072721)^x
x=((x<<15)&2323163360)^x
x=(x>>18)^x
return x
def transform(message):
assert len(message) % 4 == 0
new_message = b''
for i in range(len(message) //4):
block = message[i * 4 : i * 4 +4]
block = number.bytes_to_long(block)
block = convert(block)
block = number.long_to_bytes(block, 4)
new_message += block
return new_message
def circle(m):
t=m
while True:
x=t
t=transform(t)
if t==m:
return x
a='8b2e4e858126bc8478d6a6a485215f03'
flag = circle(bytes.fromhex(a)).hex()
print('transformed_flag:', flag)
cuteRE
代码中加了混淆,但作用不大
RC4和base64,关键部分在异常中,但动调可以弄
奇数位,偶数位分开加密
一个base64,一个rc4
base64的表
'ghijklmnopqrstuvwxyz0123456789+/ABCDEFGHIJKLMNOPQRSTUVWXYZabcdef'
rc4的key
szv~
enc=[0x72, 0xA7, 0xE5, 0xB1, 0xBF, 0xD1, 0x3A, 0xC9, 0x7E, 0x5D, 0x83, 0xA8, 0x21, 0x4F, 0x70, 0x90]
a=[0]*256
key="szv~"
for i in range(256):
a[i]=i
v6 = 0
for j in range(256):
v6=(ord(key[j%len(key)])+v6+a[j])%256
v3 = a[j]
a[j] = a[v6]
a[v6] = v3
v7 = 0
v8 = 0
for k in range(len(enc)):
v8 = (v8 + 1) % 256
v7 = (v7 + a[v8]) % 256
temp = a[v8]
a[v8] = a[v7]
a[v7] = temp
enc[k] ^= a[(a[v7] + a[v8]) % 256]
print(bytes(enc))
#b'ACFg0Gw1Jo5Ix9C}'
s1='DST{Wo7Xj5Ad8Nx8'
s2='ACFg0Gw1Jo5Ix9C}'
for i in range(len(s1)):
print(s1[i]+s2[i],end='')
最后一个re蹲个wp