RE
HelloRe
明文在代码中可直接找到
わかります
首先找到关键函数,发现输入36位长的字符串,经过处理作为6*6的矩阵参与运算
ptr是将输入值每位右移四位,v7是每位与0xf异或,得知这两个矩阵后爆破即可得到flag
观察可知sub_40078E为两个矩阵相乘,sub_400892为两个矩阵相加,此处感谢黏黏大佬安利的云算子平台,ptr结果如下:
其他步骤如下:
Python>r2=[0x00000010, 0x00000008, 0x00000008, 0x0000000E, 0x00000006, 0x0000000B, 0x00000005, 0x00000017, 0x00000005, 0x0000000A, 0x0000000C, 0x00000017, 0x0000000E, 0x00000017, 0x00000013, 0x00000007, 0x00000008, 0x0000000A, 0x00000004, 0x0000000D, 0x00000016, 0x00000011, 0x0000000B, 0x00000016, 0x00000006, 0x0000000E, 0x00000002, 0x0000000B, 0x00000012, 0x00000009, 0x00000005, 0x00000008, 0x00000008, 0x0000000A, 0x00000010, 0x0000000D]
Python>a2=[0x00000008, 0x00000001, 0x00000007, 0x00000001, 0x00000001, 0x00000000, 0x00000004, 0x00000008, 0x00000001, 0x00000002, 0x00000003, 0x00000009, 0x00000003, 0x00000008, 0x00000006, 0x00000006, 0x00000004, 0x00000008, 0x00000003, 0x00000005, 0x00000007, 0x00000008, 0x00000008, 0x00000007, 0x00000000, 0x00000009, 0x00000000, 0x00000002, 0x00000003, 0x00000004, 0x00000002, 0x00000003, 0x00000002, 0x00000005, 0x00000004, 0x00000000]
Python>t=[]
Python>for i in range(36):
Python> t.append(r2[i]-a2[i])
Python>t
Python>t
[8, 7, 1, 13, 5, 11, 1, 15, 4, 8, 9, 14, 11, 15, 13, 1, 4, 2, 1, 8, 15, 9, 3, 15, 6, 5, 2, 9, 15, 5, 3, 5, 6, 5, 12, 13]
Python>v7=t
Python>ptr=[6,6,6,6,6,7,3,5,7,6,6,6,6,5,4,6,7,7,3,7,5,6,7,5,7,6,7,7,5,7,7,6,6,3,6,7]
Python>f=[]
Python>for i in range(36):
Python> for j in range(256):
Python> if j>>4==ptr[i] and j&0xf==v7[i]:
Python> f.append(j)
Python>t=''
Python>for i in f:
Python> t+=str(chr(i))
Python>t
hgame{1_think_Matr1x_is_very_usef5l}
r&xor
把关键cmp语句patch掉,改成cmp eax eax,在这句设断点,看寄存器值,注意十六进制
Pro的Python教室
把中间部分base64解密一下在和另外两部分拼接起来
python3&4
03f3 0d0a 版本
F1 E1 53 5C 时间
63 block
0000 0000 argument
0000 0000 nlocals
0500 0000 栈空间
4000 0000 flags
73 类型 string
(注意小端序)
0000 0132 长度 bytes
0 71 0003 跳至偏移为3的字节码
3 71 0009 跳至偏移为9的字节码
9 71 000e 跳至偏移为14的字节码
14 47 6464 print列表
17 00 6400 终止
由此可知python混淆原理,将该文件字节码修改即可,删除71 03 00 71 09 00 64 0F 00 71 0E 00 47 64,并修改code区域长度为0x0132-14=0x0124 反汇编得出代码
#!/usr/bin/env python
# encoding: utf-8
# 如果觉得不错,可以推荐给你的朋友!http://tool.lu/pyc
import string
letters = list(string.letters) + list(string.digits) + [
'+',
'/']
print letters
dec = 'FcjTCgD1EffEm2rPC3bTyL5Wu2bKBI9KAZrwFgrUygHN'
def encode(input_str):
continue
str_ascii_list = [ '{:0>8}'.format(str(bin(ord(i))).replace('0b', '')) for i in input_str ]
output_str = ''
equal_num = 0
for x in [
0,
6,
12,
18]:
continue
temp_str_list = [][temp_str[x:x + 6]]
continue
temp_str_list = [ int(x, 2) for x in temp_str_list ]
if equal_num:
temp_str_list = temp_str_list[0:4 - equal_num]
continue
''.join += []([ letters[x] for x in temp_str_list ])
str_ascii_list = str_ascii_list[3:]
output_str = output_str + '=' * equal_num
return output_str
print "Welcome to Processor's Python Classroom Part 3&4!\n"
print 'qi shi wo jiu shi lan cai ba liang dao ti fang zai yi qi.'
print "Now let's start the origin of Python!\n"
print 'Plz Input Your Flag:\n'
enc = raw_input()
lst = list(enc)
lst.reverse()
llen = len(lst)
for i in range(llen):
if i % 2 == 0:
lst[i] = chr(ord(lst[i]) - 2)
lst[i] = chr(ord(lst[i]) + 1)
enc2 = ''
enc2 = enc2.join(lst)
enc3 = encode(enc2)
if enc3 == dec:
print "You're right! "
else:
print "You're Wrong! "
import string
letters = list(string.letters) + list(string.digits) + [
'+',
'/']
dec = 'FcjTCgD1EffEm2rPC3bTyL5Wu2bKBI9KAZrwFgrUygHN'
def encode(input_str):
continue
str_ascii_list = [ '{:0>8}'.format(str(bin(ord(i))).replace('0b', '')) for i in input_str ]
output_str = ''
equal_num = 0
for x in [
0,
6,
12,
18]:
continue
temp_str_list = [][temp_str[x:x + 6]]
continue
temp_str_list = [ int(x, 2) for x in temp_str_list ]
if equal_num:
temp_str_list = temp_str_list[0:4 - equal_num]
continue
''.join += []([ letters[x] for x in temp_str_list ])
str_ascii_list = str_ascii_list[3:]
output_str = output_str + '=' * equal_num
return output_str
print "Welcome to Processor's Python Classroom Part 3&4!\n"
print 'qi shi wo jiu shi lan cai ba liang dao ti fang zai yi qi.'
print "Now let's start the origin of Python!\n"
print 'Plz Input Your Flag:\n'
enc = raw_input()
lst = list(enc)
lst.reverse()
llen = len(lst)
for i in range(llen):
if i % 2 == 0:
lst[i] = chr(ord(lst[i]) - 2)
lst[i] = chr(ord(lst[i]) + 1)
enc2 = ''
enc2 = enc2.join(lst)
enc3 = encode(enc2)
if enc3 == dec:
print "You're right! "
else:
print "You're Wrong! "
分析得出flag
Crypto
Mix
摩斯密码->十六进制转字符->栅栏密码->凯撒密码
perfect_secrecy
OTP 一次一密。
https://www.jianshu.com/p/ea2bda3a0099
Base全家`
import base64
file_object = open('enc.txt')
file_context = file_object.read()
mid_1=base64.b64decode(file_context)
mid_2=base64.b64decode(mid_1)
mid_3=base64.b16decode(mid_2)
mid_4=base64.b16decode(mid_3)
mid_5=base64.b16decode(mid_4)
mid_6=base64.b32decode(mid_5)
mid_7=base64.b16decode(mid_6)
mid_8=base64.b32decode(mid_7)
mid_9=base64.b64decode(mid_8)
mid_10=base64.b16decode(mid_9)
mid_11=base64.b64decode(mid_10)
mid_12=base64.b16decode(mid_11)
mid_13=base64.b16decode(mid_12)
mid_14=base64.b16decode(mid_13)
mid_15=base64.b16decode(mid_14)
mid_16=base64.b32decode(mid_15)
mid_17=base64.b64decode(mid_16)
mid_18=base64.b64decode(mid_17)
mid_19=base64.b64decode(mid_18)
print(base64.b32decode(mid_19))
easy_rsa
e = 12
p = 58380004430307803367806996460773123603790305789098384488952056206615768274527
q = 81859526975720060649380098193671612801200505029127076539457680155487669622867
ciphertext = 206087215323690202467878926681944491769659156726458690815919286163630886447291570510196171585626143608988384615185921752409380788006476576337410136447460
e与phi有共同因子四所以真正的公钥不是12,而是3
import gmpy2
p=gmpy2.mpz(58380004430307803367806996460773123603790305789098384488952056206615768274527)
q =gmpy2.mpz( 81859526975720060649380098193671612801200505029127076539457680155487669622867)
c = gmpy2.mpz(206087215323690202467878926681944491769659156726458690815919286163630886447291570510196171585626143608988384615185921752409380788006476576337410136447460)
n=gmpy2.mpz(p*q)
phi=gmpy2.mpz((p-1)*(q-1))
d=gmpy2.mpz(gmpy2.invert(3,(phi)))
m4=pow(c,d,n)
print(m4)
i=0
while True:
if gmpy2.iroot(m4+i*n,4)[1]:
x=gmpy2.iroot(m4+i*n,4)[0]
print(hex(x),m4+i*n)
break
i+=1