前言
好游戏)
流程
在通关游戏后,我们会收到一封来自作者的邮件,这时我们重启游戏,会触发最后的试炼。拉到那个邮件最后会要我们输入一个密码,那么接下来我们就要去找密码了。
首先在这个邮件的中间有两行不太明显的字:
那么我们用everything全局搜索一下就能找到这个文件了,010查看发现是7z文件,带密码,直接PasswareKit爆破,密码是password:
得到一个html,访问查看源代码有一串base64,解码:
得到一个哈希值,提示我们是个文件夹,继续全局搜索,发现了这个文件夹,下面有两个文件:
ida看看这个exe:
拿到了password是iamnottom,输入密码后会输出这一段私钥,这是一段RSA的私钥,提取一下数据:
当然直接用私钥解也可以,exp:
from cryptography.hazmat.primitives import serialization
from cryptography.hazmat.primitives.asymmetric import padding
import base64
pem_private_key = """
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQC04AAI4K7DdGTx
KL86f54wT0ouQrDlL4krCz7DfeuFtaRPbHR/X+2wV7iX+e+doquuAgJ56DyLaRgm
ZxV6ksn/vfg0qVJlKfgfqnUsH+5quun14oc7gsdNWHkJqUh9O8pTce/ElK2YbABi
9J06p4Z1PyxpjTkViFz+YVpY5zHo2ysa4tlH1VCpYjjzUQXAMD3NbroBXTYa2Lex
UI/Xb2mnZepcGc5/ovQAzf227ORwNS6TcQiz0Wa+V7Ggz3fNBqtqipVg6QHT71a7
TOfZCOPTOW6K49p70DX+3Z3ezpIiX/ZpgBGGAckMGsNsI8lGIAR3vjXsNBeQ0sn2
FFnp+T+9AgMBAAECggEAFo0TFAhHYdEiQLsO1JFSvL02B3yDJ5/8nyRAyAjsE3ip
Ksnf4H2qWeEl/7TGvkWo2AIiIubknZEV1LvnfqfMjZk22AIAZuKLsA8FmuHETQRO
5TxAFhhhFvCf7qdvhUWuHSdIeJ784dMdXTkYXVbDudyNgf98jYW56nFi3VC99UUg
TaZWXAwr0yjDVqRWe2TpqjDAqNauvVFOhJgsNQ2yJf+XjqTLngM05vQg97CY1BUa
pQ4YlvonfX2t4URxz5wsf88DJCRvjTuedezNFyMfyJyPWFylDsvoio9UTk000Tae
Zr7Ab0e+gMbdcgo7lgOw7jue0mM+SH/uILU8SaRHVQKBgQDpcibMd56CQ0MT7Kw/
Zue1hpjrcaWlCK5nZ/21Eyu5giAA8CcKvTAL08r4E/ZV7gs28wsk8TZ/wvP63Xqj
+Z+t98IRgJyFhed/2cUHRjEtGBkPbrzG0f2QgzDXx2Xkg27h6xXH7SSCZ6SV5Wr2
Ngnt9LuKmjnQx90sAhBxRpblIwKBgQDGWZr/DBncbK6/SKKr+h7sf8fWmEJvlC9E
2pyszEm6foKMxUKOCLpvzLuXZBDDj4tJrPg2oGaA2zU9TAvzX6spT7VnvJhwmP+r
+QUysTnv0rUZDs5mHGYbjWly+9J6GcYzb896kL6EMK9BNGVfSiH2vsV6ugYJIo61
Zkv/+6/FnwKBgQC7qp3QL7WIiKQLB29tRL+vKXYTiHgeVP1Hecz2XWQALMCnoGfy
dSaDy45Wok2cxNHVKctitlsWmFXk7VmjKpCYnR0xTtAFcyEooZuH/oCX/NBgnKg7
uSJ7o0uHm++opZRlH8SRxW1dPA6OxjCXn9eZqO1/Pf6Ofa2qrDolpha2OwKBgG23
y0Eh1HxVsiQlbbZr2QdBd62A8978vVj9BIWhS3dZ26U6yKIAugB1457Ov2ct1AKh
J3wwJgNJPp31nva1CN0FNnd3n2tJdsQOL43m8wFyMLL3ubxKIUFEa/wqyDa6YyS4
yLAnuPsuYwNSlHCtdTQkOuC0XfpXn1FAkPG8q3JJAoGBAMy4385KPM27iQE38UBm
9gh17VBqaUxd+9s6Zkb4noS00vR3S0oDrQaNIdPCJphm1xlewqx2jbYMQX7aDrgF
r7mV6V2V78Ex8P7YoL9CfndnoYcq5mZTwKhuKZaenHNYk33qAuEVOkwGI+JcedSn
OHYMpp6ckBxSzsNcekc+mH0i
-----END PRIVATE KEY-----
"""
base64_encrypted_message = "gAp9xge69vuNF4Kyr/UcjO3iFlFt+e5OFZ5/zYcv703qor2K0eorwcbddlgX/6JiAq1+qnbKPnOZ+MHk7Vy55wKeLYShEvc44jZYT0HIoHLEczXOFgq8qdNsF7RhjNYNNKzDy1cc0i2pDXGTczxqct0CUkHUNI0jkpn9Vm8O19J/caIWb1NdOzfhr86gEzehkXh560sv5X8LBgo0kmJc9pEprJ+SV9vQ4pA4W+C7AtipyC7FU/51tUI/Dl9q2hpUnE1Qt4PyBDsRiaWWQ0ORQCANEapVc/b70ffxYDim5aBfvwYhc7DEo5oFcQUOiAorOnWayzz3CE0I+4qu5nRqgg==="
private_key = serialization.load_pem_private_key(
pem_private_key.encode(),
password=None,
)
encrypted_message = base64.b64decode(base64_encrypted_message)
decrypted_message = private_key.decrypt(
encrypted_message,
padding.PKCS1v15()
)
print("message:", decrypted_message.decode())
结果为b4e9ab2f61cbfda4,这是一段hash,cmd5解:
哈哈,拿到密码了,我们提交这个密码,获得了真结局的成就,收到了最后一封邮件:
好玩,爱玩)