Mas0n
mailto:MasonShi@88.com
翻车鱼

DASCTF Oct X 吉林工师

趁着上课摸鱼做了几题Misc,真就是杂项杯,就挂两题Re吧……

魔法叠加

pyc文件,修改了header,改回来之后可以手撸字节码,也可以继续修复下使用uncompyle6反编译

反编译得到脚本

import struct
O0O00O00O00O0O00O = [
 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '!', '#', '$', '%', '&', '(', ')', '*', '+', ',', '.', '/', ':', ';', '<', '=', '>', '?', '@', '[', ']', '^', '_', '`', '{', '|', '}', '~', '"']

def encode(O000O00000OO00OOO):
    """"""
    OOOO00OOO00O000OO = 0
    OOOOOOOOOO00O0OOO = 0
    OO0OOO000000OOOOO = ''
    for O0O0OO0OOOOOOOO00 in range(len(O000O00000OO00OOO)):
        O000O0OOOOO00O0O0 = O000O00000OO00OOO[O0O0OO0OOOOOOOO00:O0O0OO0OOOOOOOO00 + 1]
        OOOO00OOO00O000OO |= struct.unpack('B', O000O0OOOOO00O0O0)[0] << OOOOOOOOOO00O0OOO
        OOOOOOOOOO00O0OOO += 8
        if OOOOOOOOOO00O0OOO > 13:
            OO00O0OO00OOO000O = OOOO00OOO00O000OO & 8191
            if OO00O0OO00OOO000O > 88:
                OOOO00OOO00O000OO >>= 13
                OOOOOOOOOO00O0OOO -= 13
            else:
                OO00O0OO00OOO000O = OOOO00OOO00O000OO & 16383
                OOOO00OOO00O000OO >>= 14
                OOOOOOOOOO00O0OOO -= 14
            OO0OOO000000OOOOO += O0O00O00O00O0O0O0[(OO00O0OO00OOO000O % 91)] + O0O00O00O00O0O0O0[(OO00O0OO00OOO000O // 91)]

    if OOOOOOOOOO00O0OOO:
        OO0OOO000000OOOOO += O0O00O00O00O0O0O0[(OOOO00OOO00O000OO % 91)]
        if OOOOOOOOOO00O0OOO > 7 or OOOO00OOO00O000OO > 90:
            OO0OOO000000OOOOO += O0O00O00O00O0O0O0[(OOOO00OOO00O000OO // 91)]
    return OO0OOO000000OOOOO


O0O00O00O00O0O0O0 = []
OO000O00O00O0O0O0 = []
O0O0O0O0000O0O00O = input('plz input O0O0O0O0000O0O00O:\n')
for i in range(0, 52):
    O0O00O00O00O0O0O0 = O0O00O00O00O0O00O[i:] + O0O00O00O00O0O00O[0:i]
    O0O0O0O0000O0O00O = encode(O0O0O0O0000O0O00O.encode('utf-8'))

dic = open('./00.txt', 'a')
dic.write(O0O0O0O0000O0O00O)
dic.close()

52层base91,每层码表都不一样

找到出处

aberaud/base91-python

抄下来修改下

# -*- coding:utf-8 -*-
"""
@Author: Mas0n
@File: das.py
@Time: 2021-10-24 11:12
@Desc: It's all about getting better.
"""
import struct


def decode(encoded_str):
    ''' Decode Base91 string to a bytearray '''
    v = -1
    b = 0
    n = 0
    out = b''
    for strletter in encoded_str:
        t = struct.pack('B', strletter)
        if not t in decode_table:
            continue
        c = decode_table[t]
        if v < 0:
            v = c
        else:
            v += c * 91
            b |= v << n
            n += 13 if (v & 8191) > 88 else 14
            while True:
                out += struct.pack('B', b & 255)
                b >>= 8
                n -= 8
                if not n > 7:
                    break
            v = -1
    if v + 1:
        out += struct.pack('B', (b | v << n) & 255)
    return out


keyMaps = ['A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M',
           'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
           'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm',
           'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',
           '0', '1', '2', '3', '4', '5', '6', '7', '8', '9', '!', '#', '$',
           '%', '&', '(', ')', '*', '+', ',', '.', '/', ':', ';', '<', '=',
           '>', '?', '@', '[', ']', '^', '_', '`', '{', '|', '}', '~', '"']

allMaps = []
for i in range(0, 52):
    allMaps.append(keyMaps[i:] + keyMaps[0:i])

dic = open(r"D:\Downloads\00.txt", "rb")
flags = dic.read()
dic.close()
allMaps.reverse()

for i in range(0, 52):
    decode_table = dict((v.encode('utf-8'), k) for k, v in enumerate(allMaps[i]))
    flags = decode(flags)
    print(flags[:8])
print(flags)

马猴烧酒

简单反调试,patch掉

https://cdn.shi1011.cn/2021/10/0c61796587551e6eb1c4c1a50755f7f5.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

获取时间戳

https://cdn.shi1011.cn/2021/10/d2945ce3898163e4b1648116d2481c5e.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5

变表base64编码

而后简单异或得到SM4 Key

strcpy(fake_flag, "flag{this_is_fake_flag}");
strncpy(Destination, timestamp, 0x10ui64);
for ( i = 0i64; i < 16; ++i )
    fake_flag[i] ^= Destination[i];

用的非标准SM4,修改了Sbox,FK和CK

NEWPLAN/SMx: 国家商用加密算法 SMx(SM2,SM3,SM4) (github.com)

改下脚本

static const unsigned char SboxTable[16][16] =
{
	{0x48, 0x90, 0xE9, 0xFE, 0xCC, 0xE1, 0x3D, 0xB7, 0x16, 0xB6, 0x14, 0xC2, 0x28, 0xFB, 0x2C, 0x05}, 
    {0x2B, 0x67, 0x9A, 0x76, 0x2A, 0xBE, 0x04, 0xC3, 0xAA, 0x44, 0x13, 0x26, 0x49, 0x86, 0x06, 0x99}, 
    {0x9C, 0x42, 0x50, 0xF4, 0x91, 0xEF, 0x98, 0x7A, 0x33, 0x54, 0x0B, 0x43, 0xED, 0xCF, 0xAC, 0x62}, 
    {0xE4, 0xB3, 0x1C, 0xA9, 0xC9, 0x08, 0xE8, 0x95, 0x80, 0xDF, 0x94, 0xFA, 0x75, 0x8F, 0x3F, 0xA6}, 
    {0x47, 0x07, 0xA7, 0xFC, 0xF3, 0x73, 0x17, 0xBA, 0x83, 0x59, 0x3C, 0x19, 0xE6, 0x85, 0x4F, 0xA8}, 
    {0x68, 0x6B, 0x81, 0xB2, 0x71, 0x64, 0xDA, 0x8B, 0xF8, 0xEB, 0x0F, 0x4B, 0x70, 0x56, 0x9D, 0x35}, 
    {0x1E, 0x24, 0x0E, 0x5E, 0x63, 0x58, 0xD1, 0xA2, 0x25, 0x22, 0x7C, 0x3B, 0x01, 0x21, 0x78, 0x87}, 
    {0xD4, 0x00, 0x46, 0x57, 0x9F, 0xD3, 0x27, 0x52, 0x4C, 0x36, 0x02, 0xE7, 0xA0, 0xC4, 0xC8, 0x9E}, 
    {0xEA, 0xBF, 0x8A, 0xD2, 0x40, 0xC7, 0x38, 0xB5, 0xA3, 0xF7, 0xF2, 0xCE, 0xF9, 0x61, 0x15, 0xA1}, 
    {0xE0, 0xAE, 0x5D, 0xA4, 0x9B, 0x34, 0x1A, 0x55, 0xAD, 0x93, 0x32, 0x30, 0xF5, 0x8C, 0xB1, 0xE3}, 
    {0x1D, 0xF6, 0xE2, 0x2E, 0x82, 0x66, 0xCA, 0x60, 0xC0, 0x29, 0x23, 0xAB, 0x0D, 0x53, 0x4E, 0x6F}, 
    {0xD5, 0xDB, 0x37, 0x45, 0xDE, 0xFD, 0x8E, 0x2F, 0x03, 0xFF, 0x6A, 0x72, 0x6D, 0x6C, 0x5B, 0x51}, 
    {0x8D, 0x1B, 0xAF, 0x92, 0xBB, 0xDD, 0xBC, 0x7F, 0x11, 0xD9, 0x5C, 0x41, 0x1F, 0x10, 0x5A, 0xD8}, 
    {0x0A, 0xC1, 0x31, 0x88, 0xA5, 0xCD, 0x7B, 0xBD, 0x2D, 0x74, 0xD0, 0x12, 0xB8, 0xE5, 0xB4, 0xB0}, 
    {0x89, 0x69, 0x97, 0x4A, 0x0C, 0x96, 0x77, 0x7E, 0x65, 0xB9, 0xF1, 0x09, 0xC5, 0x6E, 0xC6, 0x84}, 
    {0x18, 0xF0, 0x7D, 0xEC, 0x3A, 0xDC, 0x4D, 0x20, 0x79, 0xEE, 0x5F, 0x3E, 0xD7, 0xCB, 0x39, 0xD6}
};

/* System parameter */
static const unsigned long FK[4] = {0xA3B1BAC7, 0x56AA3350, 0x677D9197, 0xB27022DC};

/* fixed parameter */
static const unsigned long CK[32] =
{
	0xF4BFE18F, 0xA8AA055C, 0x8B266D2B, 0xB3819D47, 0x0B1B3A85, 0xF7DB86B6, 0xC3279F82, 0x39D9C102, 
    0xBEA224C9, 0xE75D4DAC, 0xAC61726C, 0x6F98AA6F, 0xFA2ADA4E, 0x6A7CFF92, 0xA8066E7B, 0x7BE32F9F, 
    0x8CD0FED3, 0x4B98AF71, 0x790C2CBC, 0xBF880433, 0xAA46F582, 0x69C17A2C, 0x80BBD5E4, 0x24A02531, 
    0x293D87B3, 0x75F159AD, 0xB750AE9D, 0x9886928C, 0x05577A22, 0xB425E19F, 0x124D4F63, 0xE26F66D1
};

dump出密文,改下key

/*************************************************************************
       > File Name: SM4test.c
       > Author:NEWPLAN
       > E-mail:newplan001@163.com
       > Created Time: Thu Apr 13 23:55:50 2017
************************************************************************/

#include <string.h>
#include <stdio.h>
#include "sm4.h"

int main(int argc, char** argv)
{
	unsigned char key[16] = {0x0B, 0x18, 0x18, 0x29, 0x16, 0x3A, 0x5E, 0x27, 0x1E, 0x2B, 0x5F, 0x3F, 0x32, 0x07, 0x5C, 0x56};
	unsigned char input[16] = {0xF7, 0xEB, 0x5E, 0x87, 0x17, 0x9C, 0x74, 0x94, 0x44, 0xB5, 0xF5, 0x12, 0xF9, 0x74, 0x15, 0x5F};
	unsigned char output[16];
	sm4_context ctx;
	unsigned long i;


	//decrypt testing
	sm4_setkey_dec(&ctx, key);
	sm4_crypt_ecb(&ctx, 0, 16, input, output);
	for (i = 0; i < 16; i++)
		printf("%02x ", output[i]);
	printf("\n");

	return 0;
}

编译,跑起来

gcc sm4test.c sm4.h sm4.c
https://cdn.shi1011.cn/2021/10/8e4e0571d5b8bf8d22cc21c9231855b4.png?imageMogr2/format/webp/interlace/0/quality/90|watermark/2/text/wqlNYXMwbg/font/bXN5aGJkLnR0Zg/fontsize/14/fill/IzMzMzMzMw/dissolve/80/gravity/southeast/dx/5/dy/5
本文链接:https://blog.shi1011.cn/ctf/1707
本文采用 CC BY-NC-SA 3.0 Unported 协议进行许可

Mas0n

文章作者

发表评论

textsms
account_circle
email

  • David

    修pyc的能展开讲讲么?

    1月前 回复
    • Mas0n博主

      @David: PYC修复的话,我赛时直接把文件头改成3.7的,就直接用pydisasm强撸的字节码……至于要完全修复用uncompyle6的话可以先了解一下PYC的文件结构
      PYC文件格式分析

      1月前 回复
  • null

    请问是如何识别是SM4密码

    1月前 回复
  • Cu6e

    请教一下SM4中的FK也改过了吗,在ida中是哪块数据啊?

    1月前 回复
  • Scr1pt

    今年就在这里住下学习了,师傅太强了

    4周前 回复

翻车鱼

DASCTF Oct X 吉林工师
趁着上课摸鱼做了几题Misc,真就是杂项杯,就挂两题Re吧…… 魔法叠加 pyc文件,修改了header,改回来之后可以手撸字节码,也可以继续修复下使用uncompyle6反编译 反编译得到脚本 …
扫描二维码继续阅读
2021-10-25