题目信息
解题思路
解题步骤
1.安装utf9模块和测试
git clone https://github.com/enricobacis/utf9 cd utf9 python setup.py install
(base) ┌──(holyeyes㉿kali2023)-[~/Misc/题目/14/you_need_python_by sunnyelf]
└─$ git clone https://github.com/enricobacis/utf9
(base) ┌──(holyeyes㉿kali2023)-[~]
└─$ jupyter notebook
kali的jupyter的python2环境有问题,只能安装anaconda2的windows版本
知识点
marshal:python内部对象序列化。此模块包含一些能以二进制来读写python值的函数
base64:一种基于64个可打印字符来表示二进制数据的方法
zlib压缩算法:提供数据压缩用的函式库
rfc系列:定义utf9和utf18两种unicode转换编码格式
2.分析py文件
看到exec(marshal())可知后面的文本被解析为一串python命令并执行。Marshal的操作对象是python字节码,将其保存为pyc文件加上对应版本的magic_header,然后pyc反编译可得到源码
3.分析key数据文件
文件名提示rfc4042,查看内容可知定义了utf9编码,按照规则手工实现一个utf9转utf8或者调用python的库解密即可。
4.分析得到的代数表达,x个_代表x
用数字替换了_之后,python运行输出,int转成字符即可得到key
5.
import utf9
dt = ''
with open('key_is_here_but_do_you_know_rfc4042', 'r') as f:
t = f.read()
dt = utf9.utf9decode(t)
print dt
_____*((__//__+___+______-____%____)**((___%(___-_))+________+(___%___+_____+_______%__+______-(______//(_____%___)))))+__*(((________/__)+___%__+_______-(________//____))**(_*(_____+_____)+_______+_________%___))+________*(((_________//__+________%__)+(_______-_))**((___+_______)+_________-(______//__)))+_______*((___+_________-(______//___-_______%__%_))**(_____+_____+_____))+__*(__+_________-(___//___-_________%_____%__))**(_________-____+_______)+(___+_______)**(________%___%__+_____+______)+(_____-__)*((____//____-_____%____%_)+_________)**(_____-(_______//_______+_________%___)+______)+(_____+(_________%_______)*__+_)**_________+_______*(((_________%_______)*__+_______-(________//________))**_______)+(________/__)*(((____-_+_______)*(______+____))**___)+___*((__+_________-_)**_____)+___*(((___+_______-______/___+__-_________%_____%__)*(___-_+________/__+_________%_____))**__)+(_//_)*(((________%___%__+_____+_____)%______)+_______-_)**___+_____*((______/(_____%___))+_______)*((_________%_______)*__+_____+_)+___//___+_________+_________/___
# 似乎不能直接u'_'会验证不出来,因此用dt[0]代替
ul = dt[0]
cnt = 0
ns = ''
for i in dt:
if i is ul:
cnt += 1
else:
if cnt != 0:
ns += str(cnt)
cnt = 0
ns += i
else:
ns += i
# add
ns += str(cnt)
ns = ns.replace('//', '/')
print ns
key = eval(ns)
print key
# 5287002131074331513 key
5*((2/2+3+6-4%4)**((3%(3-1))+8+(3%3+5+7%2+6-(6/(5%3)))))+2*(((8/2)+3%2+7-(8/4))**(1*(5+5)+7+9%3))+8*(((9/2+8%2)+(7-1))**((3+7)+9-(6/2)))+7*((3+9-(6/3-7%2%1))**(5+5+5))+2*(2+9-(3/3-9%5%2))**(9-4+7)+(3+7)**(8%3%2+5+6)+(5-2)*((4/4-5%4%1)+9)**(5-(7/7+9%3)+6)+(5+(9%7)*2+1)**9+7*(((9%7)*2+7-(8/8))**7)+(8/2)*(((4-1+7)*(6+4))**3)+3*((2+9-1)**5)+3*(((3+7-6/3+2-9%5%2)*(3-1+8/2+9%5))**2)+(1/1)*(((8%3%2+5+5)%6)+7-1)**3+5*((6/(5%3))+7)*((9%7)*2+5+1)+3/3+9+9/3 5287002131074331513
import marshal, zlib, base64
bs = marshal.loads(zlib.decompress(base64.b64decode('eJxtVP9r21YQvyd/ieWm66Cd03QM1B8C3pggUuzYCSWstHSFQijyoJBhhGq9OXJl2ZFeqAMOK6Q/94f9Ofvn1s+d7Lgtk/3O997du/vc584a0eqpYP2GVfwDEeOrKCU6g2LRRyiK4oooFsVVUSqkqxTX6J1F+SfSNYrrdKPorC76luhbpOEGCZNFZw2KG3Rmk26QtuXi3xTb7ND6/aVu0g2RuvhEcZNut5lAGbTvAFbyH57TkYLKy8J6xpDvQxiiiaIlcdqJxVcHbXY6bXNlZgviPCrO0+StqfKd88gzNh/qRZyMdWHE29TZZvIkG7eZFRGGRcBmsXJaUoKCQ9fWKHwSqNeKFnsM5PnwJ7q2aKk4AFhcWtQCh+ChB5+Lu/RmyYUxmtOEYxas7i/2iuR7Ti14OEOSmU0RADd4+dQzbM1FJhukAUeQ+kZROuLyioagrau76kc1slY1NNaY/y3LAxDQBrAICJisV2hMdF2lxQcyFuMoqcX3+TCl6xotqzSpkqmxYVmjXVjAXiwBsEfBrd1VvTvLCj2EXRnhoryAKdpxcIgJcowUB68yAx/tlCAuPHqDuZo0CN3CUGHwkPhGMA7aXMfphjbmQLhLhJcHa0a+mpgB191c1U1lnHJQbgkHx+WGxeJbejnpkzSavo2jkxZ7i725npGAaTc8FXmUjbUETHUmkxXN5zqL5WiWxwE7Bc11yyYzNJpN02jerq+DzNNodfxOX8kE4FcmYKscDdYD1oPGGucXYNmgs1F+NTf3GOt3Mg7b+NTVruqoQyX1hOEUacKw+AGbP38ZOq9THRXaSbL5pXGQ8bho/Z/lrzQaHxdoCrlev+t6nZ7re57r+57rHXag93Deh37k+vuw9zorO/Qj/B50cAf2oyOsvut3D+ADWxdxfN/1Drqu39mHzvcRswv/Hvz7sHeg9w8Qzy99DzuFwxhPhs6zWTbOI3OZRiaZZcVj5wVwOklx7OwVxR47PR46r/SVM8ulBJic9zku/eqY/MqJxiDj+Gd55wS3f35pbLCzHoEwzKKpDkN5i+TR+1AYCWTo5IV0Z0P9H3phDDd6lMzPdS5bbo9eJGbTsW9nbDqLL1N9Iq+rRxDbll2x67a9Lf27hw5uK1s1rZr6DOPF+FI=')))
import uncompyle2
with open('f.py', 'w') as f:
uncompyle2.uncompyle('2.7', bs, f)
import hashlib
def sha1(string):
return hashlib.sha1(string).hexdigest()
def calc(strSHA1):
r = 0
for i in strSHA1:
r += int('0x%s' % i, 16)
return r
def encrypt(plain, key):
keySHA1 = sha1(key)
intSHA1 = calc(keySHA1)
r = []
for i in range(len(plain)):
r.append(ord(plain[i]) + int('0x%s' % keySHA1[i % 40], 16) - intSHA1)
intSHA1 = calc(sha1(plain[:i + 1])[:20] + sha1(str(intSHA1))[:20])
return ''.join(map(lambda x: str(x), r))
if __name__ == '__main__':
# key = raw_input('[*] Please input key:')
# plain = raw_input('[*] Please input flag:')
# encryptText = encrypt(plain, key)
cipherText = '-185-147-211-221-164-217-188-169-205-174-211-225-191-234-148-199-198-253-175-157-222-135-240-229-201-154-178-187-244-183-212-222-164'
# if encryptText == cipherText:
# print '[>] Congratulations! Flag is: %s' % plain
# exit()
# else:
# print '[!] Key or flag is wrong, try again:)'
# exit()
key = 'I_4m-k3y'
flag =''
for i in range(len(cipherText)/4):
# 一般31-128才是常用字符
for j in range(31, 128):
if encrypt(flag+chr(j), key) == cipherText[0:i*4+4]:
print j,
flag += chr(j)
break
print '\n'
print flag
102 108 97 103 123 76 105 102 51 95 105 53 95 53 104 48 114 55 95 85 95 110 51 51 100 95 80 121 55 104 48 110 125 flag{Lif3_i5_5h0r7_U_n33d_Py7h0n}
# rfc4042 -> utf9 utf16
# https://github.com/enricobacis/utf9/tree/efb1b2c64c7974ba2f5bd542514a8771183e0c70
import utf9
dt = ''
with open('key_is_here_but_do_you_know_rfc4042', 'r') as f:
t = f.read()
dt = utf9.utf9decode(t)
print dt
'''
_____*((__//__+___+______-____%____)**((___%(___-_))+________+(___%___+_____+_______%__+______-(______//(_____%___)))))+__*(((________/__)+___%__+_______-(________//____))**(_*(_____+_____)+_______+_________%___))+________*(((_________//__+________%__)+(_______-_))**((___+_______)+_________-(______//__)))+_______*((___+_________-(______//___-_______%__%_))**(_____+_____+_____))+__*(__+_________-(___//___-_________%_____%__))**(_________-____+_______)+(___+_______)**(________%___%__+_____+______)+(_____-__)*((____//____-_____%____%_)+_________)**(_____-(_______//_______+_________%___)+______)+(_____+(_________%_______)*__+_)**_________+_______*(((_________%_______)*__+_______-(________//________))**_______)+(________/__)*(((____-_+_______)*(______+____))**___)+___*((__+_________-_)**_____)+___*(((___+_______-______/___+__-_________%_____%__)*(___-_+________/__+_________%_____))**__)+(_//_)*(((________%___%__+_____+_____)%______)+_______-_)**___+_____*((______/(_____%___))+_______)*((_________%_______)*__+_____+_)+___//___+_________+_________/___
like brainfuck?
'''
# underline
ul = dt[0]
cnt = 0
ns = ''
for i in dt:
if i is ul:
cnt += 1
else:
if cnt != 0:
ns += str(cnt)
cnt = 0
ns += i
else:
ns += i
# add
ns += str(cnt)
ns = ns.replace('//', '/')
print ns
key = eval(ns)
print key
# 5287002131074331513 key
hk = hex(key)[2:]
print hk
kk = ''
for i in range(len(hk)/2):
kk += chr(int('0x' + hk[i*2:i*2+2], 16))
print kk
_____*((__//__+___+______-____%____)**((___%(___-_))+________+(___%___+_____+_______%__+______-(______//(_____%___)))))+__*(((________/__)+___%__+_______-(________//____))**(_*(_____+_____)+_______+_________%___))+________*(((_________//__+________%__)+(_______-_))**((___+_______)+_________-(______//__)))+_______*((___+_________-(______//___-_______%__%_))**(_____+_____+_____))+__*(__+_________-(___//___-_________%_____%__))**(_________-____+_______)+(___+_______)**(________%___%__+_____+______)+(_____-__)*((____//____-_____%____%_)+_________)**(_____-(_______//_______+_________%___)+______)+(_____+(_________%_______)*__+_)**_________+_______*(((_________%_______)*__+_______-(________//________))**_______)+(________/__)*(((____-_+_______)*(______+____))**___)+___*((__+_________-_)**_____)+___*(((___+_______-______/___+__-_________%_____%__)*(___-_+________/__+_________%_____))**__)+(_//_)*(((________%___%__+_____+_____)%______)+_______-_)**___+_____*((______/(_____%___))+_______)*((_________%_______)*__+_____+_)+___//___+_________+_________/___ 5*((2/2+3+6-4%4)**((3%(3-1))+8+(3%3+5+7%2+6-(6/(5%3)))))+2*(((8/2)+3%2+7-(8/4))**(1*(5+5)+7+9%3))+8*(((9/2+8%2)+(7-1))**((3+7)+9-(6/2)))+7*((3+9-(6/3-7%2%1))**(5+5+5))+2*(2+9-(3/3-9%5%2))**(9-4+7)+(3+7)**(8%3%2+5+6)+(5-2)*((4/4-5%4%1)+9)**(5-(7/7+9%3)+6)+(5+(9%7)*2+1)**9+7*(((9%7)*2+7-(8/8))**7)+(8/2)*(((4-1+7)*(6+4))**3)+3*((2+9-1)**5)+3*(((3+7-6/3+2-9%5%2)*(3-1+8/2+9%5))**2)+(1/1)*(((8%3%2+5+5)%6)+7-1)**3+5*((6/(5%3))+7)*((9%7)*2+5+1)+3/3+9+9/3 5287002131074331513 495f346d2d6b3379L I_4m-k3y