博客围绕Crypto题目展开,涉及base和rwx两部分。解题思路是找到初始明文进行加密爆破匹配验证,如对rwx部分取flag字节倒数三位bit数进行排列组合爆破,针对e参数对字符右移三位后的数值进行爆破,同时提醒编码时注意编码方式。
Crypto
base
明文的md5值为16478a151bdd41335dcd69b270f6b985
然后直接对明文进行解密:
最终flag:flag{base64wtfwtf123}
rwx
题目源码:
from flag import flag
from Crypto.Util.number import long_to_bytes,bytes_to_long
from os import urandom
import hashlib
def know(m):
r=[]
w=[]
x=[]
e=[]
for i in m:
r.append(bin(ord(i))[-1])
w.append(bin(ord(i))[-2])
x.append(bin(ord(i))[-3])
e.append(ord(i)>>3)
return r,w,e,x
def inf(r,w,x,files):
re=[]
for i in range(len(files)):
re.append(long_to_bytes(int(bin(bytes_to_long(files[i]))[2:]+r[i]+w[i]+x[i],2)))
return re
r,w,e,x=know(flag)
files=[]
f=open("output","wb")
for i in range(len(flag)):
files.append(urandom(8))
for i in files:
f.write(i.encode("hex")+"\n") #-----------写入1----------------------
files=inf(r,w,x,files)
for i in files:
f.write(hashlib.sha256(i).hexdigest()+"\n") #------写入2-----------------
for i in e:
f.write(hashlib.sha256(str(i)+urandom(2)).hexdigest()+"\n")#-----写入3------------
print r
print w
print x
print e
题目分析:
首先找明写入文件的内容到底是什么
我们可以发现写入的三部分内容在循环的时候可以发现是等长的,每一段都是flag的长度len(flag)
然后在题目附件中我们可以看到有129内容 然后除3 正好是每段43行
此外md5不可逆 我们知道其密文摘要 所以整体的解题思路就是找到初始明文进行加密爆破匹配验证。
把附件贴在后面吧 供师傅们复现使用
然后进行函数剖析:
首先是对know函数: 可以看出r w x部分是取flag中每个字节的倒数三位bit数 只有0和1两种情况,然后对于files我们又是已知的 所以对三个0和1的排列组合我们进行爆破
在inf()函数如果采用相同的解密结果得到的值与写入文件的sha256摘要相等 就证明我们找到了正确的rwx
到此rwx可以通过爆破获得
然后是针对e参数 将flag的字符右移三位 相当于舍去了三bit位数值 这舍去的就是xwr 一定注意拼接顺序
那个恢复e的方法相比有点麻烦
首先是e本身我们是不知道的 但是我们对flag字符进行测试 发现其ord() 源码长度在7位左右 去掉低三位(因为进行了右移操作嘛)剩下四位形成的十进制数我们在0到17之间爆破就可以啦
然后还有个地方需要爆破 才能进行匹配 那就是随机生成的urandom(2)
每个字节都是0-256之间的对应字符 进行爆破即可
注意避大坑!!!
在对字节爆破进行编码的时候 一定不能使用utf8 默认编码方式而是采用latin-1 编码方式
因为我们在使用urandom(2)函数生成的时候存在b'\x96a' 这样一组字符
然后我在ascii码中寻找\x96的身影应该是150对应
但是当对chr(150).encode() 却存在前缀\xc2\x96a 这就导致始终无法匹配
通过多次尝试摸索 当chr(150).encode("latin-1") 时 只返回\x96没有前缀可以正常爆破
完整exp:
#---------第一部分:恢复rwx-----------------------------------------
f=open("output","r")
files = []
for i in range(43):
filed = f.readline()
byt = filed[:-1]
file = bytes.fromhex(filed)
files.append(file)
import string
from Crypto.Util.number import *
import hashlib
def inv_inf(j,m,k,file,test):
tmp = long_to_bytes(int(bin(bytes_to_long(file))[2:]+j+m+k,2))
tmp = hashlib.sha256(tmp).hexdigest()
if tmp == test:
return True
else:
return False
r = []
w = []
x = []
for i in files:
test = f.readline()[:-1] #注意因为我们后面尝试 所以这个不能每次试都读下一行
for j in range(2):
for m in range(2):
for k in range(2):
if inv_inf(str(j),str(m),str(k),i,test):
r.append(j)
w.append(m)
x.append(k)
print(r,w,x)
#-------第二部分:恢复e 拿flag----------------------------------------------------
from os import urandom
res = []
for x,y,z in zip(r,w,x):
test = f.readline()[:-1] #去除换行字符
for e in range(0,17):
for u in range(256):
for n in range(256):
ran = chr(u).encode("latin-1")+chr(n).encode("latin-1")
tmp = hashlib.sha256(str(e).encode("latin-1")+ran).hexdigest()
# print(i,flag) 注意如果每次都进行输出那么效率会大大下降
if tmp == test:
flag.append(e)
re = str(bin(e)) + str(z) + str(y) + str(x)#一定注意顺序
res.append(chr(int(re,2)))
print(''.join(res))
#flag{8uuuuu_dd_3yyyui_like_the_internet_g0}
附件:
abb490d5efe69766
a42c15dd0717102b
ee0d2fc5c7351947
4876242f69135f77
f7f7e8648cf39204
594b5fb7c4396a5d
5b254e10bc3f2e83
d27b465c51cb56aa
02fde9f77e201f13
5a5a717c5610113c
0228c96208f04be7
1f21b57c69e164c6
eb9ff8ed6de6ae5a
e9ff62161ebfd07f
fc92701a784575fb
246fb05d1f5a6f74
91a9a630e9e91e8b
c27160d38c8b8247
4b473325d4de665c
d1c1b9a58ca6d1e5
818cf44df4d7b088
569014c59066b916
408fb2edb34c77a9
d24576a95ddc151c
9284b46648b92a5c
073f776f6a36eb4a
1b9a6ff58b537364
9a327f0ff86f7687
be0fe6df6ce0726f
98734efb617a527b
3e0e772fd9669166
af8f0e61263ad605
326c9434cc213d55
5d6df6d0425fd13c
c798fca9337f4e09
b8b44901c1e2847c
39c7932c6c9565d8
0df12d3f4023f6cf
df47f8efee88f469
92bbcc351d041479
77b55a5574fa0830
24b60c00c2cda9c2
3c00ce8fad4bdb0e
3368003bfbca99e727ddfe6de1976fe7133392ddcf1e9b858af76aec41a3a0d6
e5cf55af23a0c8b42b4d9f22d1c9dfc2b04a22c0202cd35c783bbf9b82e79525
54ad655d2f450d96eb0198dd620758cbddc8987656b195df04a5e254447e9f19
d093a5e18283d59816ed32156eaaabe64fc2575bc3cee6b4fccf6325d4b669a3
8d32f93d356a459e8c2807c91ab52581c2d3ea225187b8fc2b7d6dc0dbf81500
8778e6d1901c10b1d1090c32cef6aeb36702d37dceac8c0e5a16356473f82a15
090bfe2dd0be43160b406e6b33845c6c5bde6bf47d466d26b7f69ea896eddfdd
91e3ece70e184e3f768925751fb5a0c2cf9369d6bc268464cd2737af38dea781
f16f4fae20ae181dc5a332e423a2a79fb3e2d28f072cb7ba2f8a0b29e2c1c698
b5efdd3705fcf45d3b330202e0387ab9d24c1b79af9577ba0563b669d420723d
d31afdf0eb4149e516658867b07b3032ec3d685f2eb68a565249f4f439a688fa
ac039fae367745a39019561e4f9f953068d0b4639c19a5eaf7a05abc46e734e0
f09637c3a24c14ad0d4fd442ede44009f85f898d506f9ba7a8563650cc4068e5
4bedd3d498e83bd16f363a3eaed9209d1b700f63eeb6f96f775d97ab31cac5f8
33c37802ce6c6dc22d15e60b62e68649ac2d2888ec1ea6fc8c44e01d9869dd75
b5610f79b982ce4666b0df76539cfd74255a00aca06d08acd05eaa7d60084a1c
24a8467f30d49602dc24318cd0665ea57b3333ed22aefde5f161a5f3044272bd
4b1b131e729d9bd102bd27ced202f6d5d800c2c17969c04a30bc7ad29664e59a
19429fd0d54ccf175abd9c4ecc7f24de183f5fee5193c5e895638dcda6a8bc27
6ce1410665315540b25e34c0f1e058567d88ef4fa91e710114f20d62114fd550
fec593226268610fbbc5352d0fb1f41b79a77eab3a2429f731feebaeb23841f7
33935fb947103ab453057052223fd5958a8897b665c8b3650b5cfaf1d8cccdc7
888b1eb7a6d29dc1cef64e6cc539d68b024c109736915630d5ddacc9c636851f
9970385c755daf6275142edb885d03506a738762bf5bfa957f9aadb31f31cb7a
c5ff5de1968b6458758a641d70525d098272c714840e0c2057ba8ec05d531b63
2c208eb6a63a5beca0488ee83d4e5f0eedcc29227f6f25cddd169e87bd07a320
b1d6e133e07eacfa6fbdcd9178344a861599d73c0aa1480b7b0bd7335736d665
aefbae60c94eea15bfbc7a2824f7032b2740f95e19460bde15aae20cae0722ca
6bdfea1b95fd48f168d545e409626e783c272b12b0895cbd17564dbbcf2da66f
02a1b05474d3a86672f76712f0338a00ce95af62b7c6d2aca5492d3d7a8c7305
3a011998e70fe4460f0acdec68a77933b41f6efbad345e66b18cf014cd88af88
cd0fdb32c3e60912b54a2c1f26df90c3243626f636a9c498acbebcbcc2cbebbc
87dc8336d829915f3f98709041cfa033be859e2b1ace2c9478e26c457e4aadc0
d2e84a52aa49ed36237c81ea9f2ff66ca9d48d406df092535971601e80ec31d1
042025bb6c7535549c2cb536a04125348c48454ac6a8210cfef8a71e50813aff
436308db651644f181d02c1b90368c150f5499836d71e6b7ae8e8334811a258e
5b8b9c76b17324ef5f35692b9ee069ec3c6135b1725bb82900bf3fbe953e0586
0506511cdc9561f76e5d85d147120fd746668b043f5a71760148008ebe37d9f0
6d89ad6b0a094a7f9a9bf4ee1ca2f3b0e5ec56f924b7efeb16fbdfbfd41358d3
25019aa8cec744ea6937729fd454100c6f5a589284b007c645c6d7c6ef58c8bc
39322232c9118f9541f6432913384444309fd10a0f627c9ecc2f95309701ab13
115a84ee3ac24122fd5482b0f7eb900ce99382ca41777cc2577c82cec766cab0
ed9f6161c423f30cc7ceac974ae5e432e755f08cb79b47ce3d43452dcf74c76c
a3df8f1e5dd063595188044473fa1c2bc69eec2e29bafaeeb3962c2750585fca
3f8bb91ade38f8e0b0e269a57191d70cf60ac2db4c79518e79b48c08a737f6cb
439190a055187e9c9a0120ed91b15365f716330c8df21cadcf14f6ea0f35b4b8
dd1ce000a01a41ead05d03d74e184345aa1340c14873d75bf99275b6042c66a5
5e2002006de48dc19d2116bd6de751ede5bdcfd96bfafbc41d9a227b06c8f7e6
d05a972e1fa0d36533c88c3d6f51175df426ab3ad3950cbd82fe789907de7178
e108856d6e85ea36e8b0330a5b62489ce939c11f0e3aa673327eef4c87adfdf9
0f673f6397808e53248ce5778e31d669ad9ddcdd4c732a3dcea05a3c03322972
2c6d0af5b1ea6178d647eaad2a41f76bdf0111dce813b136262ab9cbd1a042da
2c4b24bc7213bd16739ac23b0988e27ea3b52fbf87b7c3648cae97d3535449d2
accea9e2c218217fc967bd11d772c442adf4cfbaf6d81c57e13eda48c907a584
befe454b22b4eb940732ab972657e474c211d6d9dfcddd34f68d9628b32d61fe
fc1090ba15ccae04a9648183bfd9050e5513d98035af00a83e9a371bcff72512
d85b886abcdc31f028a2be8fdfa31ef3510c4b7f099baa0f15b9308493f3d2a7
2e631a9a04bf11d2354df921e482d6059684cc746ca1725b6d62952739c75ade
31dcc3a2dd334474173f6d16adcd3546736ddea1dda53d7ae7120bc5bcbc12f1
11d699bf7dcc57780f5b4217b4a6f777c0c4cdbd4269bf76b3daa5b6a6901fcb
02ae1e11650bf5ea33b0f2b9a65e830a0e4ff33b64be2f84eb0c89aeea0718fb
e3d6ba04b3583099db6095205e50eaf338260cbd97c77c3b3d9058522f108892
81f062c17993b7266ce990b4d115721973958d5f81a9f24fa5e7c718b4bfd1be
9dbb8f5215d43034aff34bcb3a2cb950b76c5dc78320bf729739f28c2316c381
b5ce8e8ca3b8e872f7640f0980af6aec31cb8549f48911081264b87c94ed9a16
70cdeb42324021d98cb408f2e0e2425a4be90d6b263a44f05e65af40c842a105
ef679767995bfa61402bf90cd697f388199ed92b24e5a1cd67485f9951b73bf0
ccfb009cacb758e3ed525b4941c61e973d7bc2bc079c3a2bd089f85fbf634a2f
f367d169e7fed794e76f711a4f75c0dbf8ac9426f1da48374bc86f179487d83a
90e786a6c635b110c1a9e8b717809b665d2ea91cf0851e8615ea276628544a6d
926cc73a86228b74a4ef8a386c2ecd56c7ed1c8979f2437dd53aa8c1a15b5513
32e8b07e1f7bb7da7012fff02cdcf84971d976fe056ddba651731657c7bce278
dbd86282a86ce7523cc2920ecd87070f46f436f4c9436667599fff95b0ebdc1b
4ab6a0ad4b50df2e2a178576f4aae0c7289ea00385b9d29be0c4e3b2921b5f2d
1b9a6ed279789ca017162f12586aef68f0d55acbbfb85f7a0ea294ff22a2eacf
07fc3be55d5d43dcb80f69121d6847aa0d093d4d4f723017ef75ab5b09ec555b
efb6468f620d1a0dd71ddfdc66b1a5145a1666c07729db8cba93ccadf66d6363
25164ae1c0e8c1f6243fb7761310c398c607b3be6ff0cdc41fa7583288cece47
01baccd7e9415275d8e9f797b90362496935e279d02bcf68e5bcd89577688934
e6bb9d20c9f7b528dcf323143fde093be6859b63583e58fbe0c319d5f6104cfd
048856baa298e3d69421db8f4777fd44756f25933484edf6574f1ad0c3a35d6a
0799af8cad7311dd6c27f07a1b13e57eb81d9ff79520b05428d6599105d41c37
f34f86804facfee48869f64b42b2f507fab255425001d368078bae02ae660f21
dc658b6bef96c02fd9ddcf1aaa442a5994c4789cc6ab76b2e592a36e0f61e205
8852c503f1fe03706f3a6afffed6f5ad6a9f375f7ef430fc29ecbefc7696d28c
62a37ed7404473449d756a1750ff5d65de9b3e27e10367e63a25e38681a144d3
我是哈皮,祝您每天嗨皮!我们下期再见~
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
