趁着上课摸鱼做了几题Misc,真就是杂项杯,就挂两题Re吧……
魔法叠加
pyc文件,修改了header,改回来之后可以手撸字节码,也可以继续修复下使用uncompyle6反编译
反编译得到脚本
import struct
O0O00O00O00O0O00O = [
'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '!', '#', '$', '%', '&', '(', ')', '*', '+', ',', '.', '/', ':', ';', '<', '=', '>', '?', '@', '[', ']', '^', '_', '`', '{', '|', '}', '~', '"']
def encode(O000O00000OO00OOO):
""""""
OOOO00OOO00O000OO = 0
OOOOOOOOOO00O0OOO = 0
OO0OOO000000OOOOO = ''
for O0O0OO0OOOOOOOO00 in range(len(O000O00000OO00OOO)):
O000O0OOOOO00O0O0 = O000O00000OO00OOO[O0O0OO0OOOOOOOO00:O0O0OO0OOOOOOOO00 + 1]
OOOO00OOO00O000OO |= struct.unpack('B', O000O0OOOOO00O0O0)[0] << OOOOOOOOOO00O0OOO
OOOOOOOOOO00O0OOO += 8
if OOOOOOOOOO00O0OOO > 13:
OO00O0OO00OOO000O = OOOO00OOO00O000OO & 8191
if OO00O0OO00OOO000O > 88:
OOOO00OOO00O000OO >>= 13
OOOOOOOOOO00O0OOO -= 13
else:
OO00O0OO00OOO000O = OOOO00OOO00O000OO & 16383
OOOO00OOO00O000OO >>= 14
OOOOOOOOOO00O0OOO -= 14
OO0OOO000000OOOOO += O0O00O00O00O0O0O0[(OO00O0OO00OOO000O % 91)] + O0O00O00O00O0O0O0[(OO00O0OO00OOO000O // 91)]
if OOOOOOOOOO00O0OOO:
OO0OOO000000OOOOO += O0O00O00O00O0O0O0[(OOOO00OOO00O000OO % 91)]
if OOOOOOOOOO00O0OOO > 7 or OOOO00OOO00O000OO > 90:
OO0OOO000000OOOOO += O0O00O00O00O0O0O0[(OOOO00OOO00O000OO // 91)]
return OO0OOO000000OOOOO
O0O00O00O00O0O0O0 = []
OO000O00O00O0O0O0 = []
O0O0O0O0000O0O00O = input('plz input O0O0O0O0000O0O00O:\n')
for i in range(0, 52):
O0O00O00O00O0O0O0 = O0O00O00O00O0O00O[i:] + O0O00O00O00O0O00O[0:i]
O0O0O0O0000O0O00O = encode(O0O0O0O0000O0O00O.encode('utf-8'))
dic = open('./00.txt', 'a')
dic.write(O0O0O0O0000O0O00O)
dic.close()
52层base91,每层码表都不一样
找到出处
抄下来修改下
# -*- coding:utf-8 -*-
"""
@Author: Mas0n
@File: das.py
@Time: 2021-10-24 11:12
@Desc: It's all about getting better.
"""
import struct
def decode(encoded_str):
''' Decode Base91 string to a bytearray '''
v = -1
b = 0
n = 0
out = b''
for strletter in encoded_str:
t = struct.pack('B', strletter)
if not t in decode_table:
continue
c = decode_table[t]
if v < 0:
v = c
else:
v += c * 91
b |= v << n
n += 13 if (v & 8191) > 88 else 14
while True:
out += struct.pack('B', b & 255)
b >>= 8
n -= 8
if not n > 7:
break
v = -1
if v + 1:
out += struct.pack('B', (b | v << n) & 255)
return out
keyMaps = ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M',
'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm',
'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',
'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '!', '#', '$',
'%', '&', '(', ')', '*', '+', ',', '.', '/', ':', ';', '<', '=',
'>', '?', '@', '[', ']', '^', '_', '`', '{', '|', '}', '~', '"']
allMaps = []
for i in range(0, 52):
allMaps.append(keyMaps[i:] + keyMaps[0:i])
dic = open(r"D:\Downloads\00.txt", "rb")
flags = dic.read()
dic.close()
allMaps.reverse()
for i in range(0, 52):
decode_table = dict((v.encode('utf-8'), k) for k, v in enumerate(allMaps[i]))
flags = decode(flags)
print(flags[:8])
print(flags)
马猴烧酒
简单反调试,patch掉
获取时间戳
变表base64编码
而后简单异或得到SM4 Key
strcpy(fake_flag, "flag{this_is_fake_flag}");
strncpy(Destination, timestamp, 0x10ui64);
for ( i = 0i64; i < 16; ++i )
fake_flag[i] ^= Destination[i];
用的非标准SM4,修改了Sbox,FK和CK
NEWPLAN/SMx: 国家商用加密算法 SMx(SM2,SM3,SM4) (github.com)
改下脚本
static const unsigned char SboxTable[16][16] =
{
{0x48, 0x90, 0xE9, 0xFE, 0xCC, 0xE1, 0x3D, 0xB7, 0x16, 0xB6, 0x14, 0xC2, 0x28, 0xFB, 0x2C, 0x05},
{0x2B, 0x67, 0x9A, 0x76, 0x2A, 0xBE, 0x04, 0xC3, 0xAA, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99},
{0x9C, 0x42, 0x50, 0xF4, 0x91, 0xEF, 0x98, 0x7A, 0x33, 0x54, 0x0B, 0x43, 0xED, 0xCF, 0xAC, 0x62},
{0xE4, 0xB3, 0x1C, 0xA9, 0xC9, 0x08, 0xE8, 0x95, 0x80, 0xDF, 0x94, 0xFA, 0x75, 0x8F, 0x3F, 0xA6},
{0x47, 0x07, 0xA7, 0xFC, 0xF3, 0x73, 0x17, 0xBA, 0x83, 0x59, 0x3C, 0x19, 0xE6, 0x85, 0x4F, 0xA8},
{0x68, 0x6B, 0x81, 0xB2, 0x71, 0x64, 0xDA, 0x8B, 0xF8, 0xEB, 0x0F, 0x4B, 0x70, 0x56, 0x9D, 0x35},
{0x1E, 0x24, 0x0E, 0x5E, 0x63, 0x58, 0xD1, 0xA2, 0x25, 0x22, 0x7C, 0x3B, 0x01, 0x21, 0x78, 0x87},
{0xD4, 0x00, 0x46, 0x57, 0x9F, 0xD3, 0x27, 0x52, 0x4C, 0x36, 0x02, 0xE7, 0xA0, 0xC4, 0xC8, 0x9E},
{0xEA, 0xBF, 0x8A, 0xD2, 0x40, 0xC7, 0x38, 0xB5, 0xA3, 0xF7, 0xF2, 0xCE, 0xF9, 0x61, 0x15, 0xA1},
{0xE0, 0xAE, 0x5D, 0xA4, 0x9B, 0x34, 0x1A, 0x55, 0xAD, 0x93, 0x32, 0x30, 0xF5, 0x8C, 0xB1, 0xE3},
{0x1D, 0xF6, 0xE2, 0x2E, 0x82, 0x66, 0xCA, 0x60, 0xC0, 0x29, 0x23, 0xAB, 0x0D, 0x53, 0x4E, 0x6F},
{0xD5, 0xDB, 0x37, 0x45, 0xDE, 0xFD, 0x8E, 0x2F, 0x03, 0xFF, 0x6A, 0x72, 0x6D, 0x6C, 0x5B, 0x51},
{0x8D, 0x1B, 0xAF, 0x92, 0xBB, 0xDD, 0xBC, 0x7F, 0x11, 0xD9, 0x5C, 0x41, 0x1F, 0x10, 0x5A, 0xD8},
{0x0A, 0xC1, 0x31, 0x88, 0xA5, 0xCD, 0x7B, 0xBD, 0x2D, 0x74, 0xD0, 0x12, 0xB8, 0xE5, 0xB4, 0xB0},
{0x89, 0x69, 0x97, 0x4A, 0x0C, 0x96, 0x77, 0x7E, 0x65, 0xB9, 0xF1, 0x09, 0xC5, 0x6E, 0xC6, 0x84},
{0x18, 0xF0, 0x7D, 0xEC, 0x3A, 0xDC, 0x4D, 0x20, 0x79, 0xEE, 0x5F, 0x3E, 0xD7, 0xCB, 0x39, 0xD6}
};
/* System parameter */
static const unsigned long FK[4] = {0xA3B1BAC7, 0x56AA3350, 0x677D9197, 0xB27022DC};
/* fixed parameter */
static const unsigned long CK[32] =
{
0xF4BFE18F, 0xA8AA055C, 0x8B266D2B, 0xB3819D47, 0x0B1B3A85, 0xF7DB86B6, 0xC3279F82, 0x39D9C102,
0xBEA224C9, 0xE75D4DAC, 0xAC61726C, 0x6F98AA6F, 0xFA2ADA4E, 0x6A7CFF92, 0xA8066E7B, 0x7BE32F9F,
0x8CD0FED3, 0x4B98AF71, 0x790C2CBC, 0xBF880433, 0xAA46F582, 0x69C17A2C, 0x80BBD5E4, 0x24A02531,
0x293D87B3, 0x75F159AD, 0xB750AE9D, 0x9886928C, 0x05577A22, 0xB425E19F, 0x124D4F63, 0xE26F66D1
};
dump出密文,改下key
/*************************************************************************
> File Name: SM4test.c
> Author:NEWPLAN
> E-mail:newplan001@163.com
> Created Time: Thu Apr 13 23:55:50 2017
************************************************************************/
#include <string.h>
#include <stdio.h>
#include "sm4.h"
int main(int argc, char** argv)
{
unsigned char key[16] = {0x0B, 0x18, 0x18, 0x29, 0x16, 0x3A, 0x5E, 0x27, 0x1E, 0x2B, 0x5F, 0x3F, 0x32, 0x07, 0x5C, 0x56};
unsigned char input[16] = {0xF7, 0xEB, 0x5E, 0x87, 0x17, 0x9C, 0x74, 0x94, 0x44, 0xB5, 0xF5, 0x12, 0xF9, 0x74, 0x15, 0x5F};
unsigned char output[16];
sm4_context ctx;
unsigned long i;
//decrypt testing
sm4_setkey_dec(&ctx, key);
sm4_crypt_ecb(&ctx, 0, 16, input, output);
for (i = 0; i < 16; i++)
printf("%02x ", output[i]);
printf("\n");
return 0;
}
编译,跑起来
gcc sm4test.c sm4.h sm4.c
发表回复