-
2022DASCTF Apr X FATE 防疫挑战赛
2022DASCTF Apr X FATE 防疫挑战赛
easy_real
import random import hashlib from gmpy2 import * from libnum import * # flag = 'xxxxxxxxxxxxxxxxxxxx' # key = random.randint(1,10) # for i in range(len(flag)): # crypto += chr(ord(flag[i])^key) # m = crypto的ascii十六进制 e = 23 n=4197356622576696564490569060686240088884187113566430134461945130770906825187894394672841467350797015940721560434743086405821584185286177962353341322088523 p = 64310413306776406422334034047152581900365687374336418863191177338901198608319 q = n//p c = 3298176862697175389935722420143867000970906723110625484802850810634814647827572034913391972640399446415991848730984820839735665233943600223288991148186397 d=invert(e,(p-1)*(q-1)) m=int(pow(c,d,n)) print(n2s(m))#b'ndios_;9kgE;WK8e;W?gWn<\\;k|nu' m='ndios_;9kgE;WK8e;W?gWn<\\;k|nu' for i in range(11): for j in range(len(m)): print(chr(ord(m[j])^i),end='') print()- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
CrackMe
随便输入一下,提示wrong
通过字符串交叉引用搜到主程序,
int __thiscall sub_B131E0(int this) { const void *v1; // eax const void *v2; // eax unsigned int Size; // [esp+18h] [ebp-230h] size_t pdwDataLen; // [esp+20h] [ebp-228h] BYREF void *Buf1; // [esp+24h] [ebp-224h] BYREF BYTE *v8; // [esp+28h] [ebp-220h] BYREF BYTE *v9; // [esp+2Ch] [ebp-21Ch] BYREF size_t dwDataLen; // [esp+30h] [ebp-218h] BYREF size_t v11; // [esp+34h] [ebp-214h] BYREF DWORD v12; // [esp+38h] [ebp-210h] BYREF BYTE v13[260]; // [esp+3Ch] [ebp-20Ch] BYREF char pbData[260]; // [esp+140h] [ebp-108h] BYREF CWnd::UpdateData((CWnd *)this, 1); memset(pbData, 0, sizeof(pbData)); memset(v13, 0, sizeof(v13)); Size = std::istreambuf_iterator_char_std::char_traits_char__::operator___void_((void *)(this + 216)); pdwDataLen = std::istreambuf_iterator_char_std::char_traits_char__::operator___void_((void *)(this + 212)); dwDataLen = 0; v11 = 0; v12 = 0; v1 = (const void *)sub_B12590((void *)(this + 216), Size); memmove(pbData, v1, Size); v2 = (const void *)sub_B12590((void *)(this + 212), pdwDataLen); memmove(v13, v2, pdwDataLen); if ( Size != 8 && pdwDataLen != 32 ) return Wrong((CWnd *)this); sub_B13510((BYTE *)pbData, Size >> 1, 0x8003u, (BYTE **)&Buf1, &dwDataLen); sub_B13510((BYTE *)&pbData[4], Size >> 1, 0x8004u, &v8, &v11); sub_B13510((BYTE *)pbData, Size, 0x8003u, &v9, &v12); memcmp(Buf1, (const void *)(this + 220), dwDataLen); if ( memcmp(v8, (const void *)(this + 480), v11) ) return Wrong((CWnd *)this); sub_B136E0(v9, v12, v13, &pdwDataLen, 0x104u); if ( !memcmp(v13, (const void *)(this + 740), pdwDataLen) ) return sucess((CWnd *)this); else return Wrong((CWnd *)this); }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
准备动调看看怎么回事,发现有反调试
反调试是这个
ZwSetInformationThread 等同于 NtSetInformationThread,通过为线程设置
搜索"ZwSetInformationThread"- 1
发现后改掉参数0x11,
我这里改的是1
((void (__stdcall *)(HANDLE, int, _DWORD, _DWORD))ZwSetInformationThread)(CurrentThread, 1, 0, 0);- 1
根据
if ( Size != 8 && pdwDataLen != 32 )- 1
进行逻辑构造,这里猜flag要32位,key的size要8位
我们动调验证了我们的猜想
接下来关注sub_B13510函数,下面连续调用了三次
发现是调用系统api,关注ALG_ID Algid,发现是分别进行
加密
,进入下面第一个对比
得到key的前4位的md5:
9F77C2A4AC5C0A671321BBE1E9972AF6
明文为:NocT
同样得到key后4位的sha1:D59F8E94B0E1DE6E329518A0C444AA94DE7C8D44
后半部分为:uRne
NocTuRne
然后把key的md5值和我们的input一起做个加密
我们直接去拿密文
0x5B, 0x9C, 0xEE, 0xB2, 0x3B, 0xB7, 0xD7, 0x34, 0xF3, 0x1B, 0x75, 0x14, 0xC6, 0xB2, 0x1F, 0xE8, 0xDE, 0x33, 0x44, 0x74, 0x75, 0x1B, 0x47, 0x6A, 0xD4, 0x37, 0x51, 0x88, 0xFC, 0x67, 0xE6, 0x60- 1
- 2
- 3
- 4
参数是:
md5_key,0x10,input,len_input,0x104- 1
void __stdcall sub_C836E0(BYTE *pbData, DWORD dwDataLen, BYTE *a3, DWORD *pdwDataLen, DWORD dwBufLen) { HCRYPTKEY phKey; // [esp+Ch] [ebp-10h] BYREF HCRYPTPROV phProv; // [esp+10h] [ebp-Ch] BYREF HCRYPTHASH phHash; // [esp+14h] [ebp-8h] BYREF phProv = 0; phHash = 0; phKey = 0; if ( CryptAcquireContextA(&phProv, 0, 0, 0x18u, 0xF0000000) && CryptCreateHash(phProv, 0x8003u, 0, 0, &phHash) && CryptHashData(phHash, pbData, dwDataLen, 0) && CryptDeriveKey(phProv, 0x660Eu, phHash, 1u, &phKey) ) { CryptEncrypt(phKey, 0, 1, 0, a3, pdwDataLen, dwBufLen); } if ( phKey ) CryptDestroyKey(phKey); if ( phHash ) CryptDestroyHash(phHash); if ( phProv ) CryptReleaseContext(phProv, 0); }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
#include#include #include void __stdcall de(BYTE *pbData, DWORD dwDataLen, BYTE *a3, DWORD *pdwDataLen, DWORD dwBufLen) { HCRYPTKEY phKey; // [esp+Ch] [ebp-10h] BYREF HCRYPTPROV phProv; // [esp+10h] [ebp-Ch] BYREF HCRYPTHASH phHash; // [esp+14h] [ebp-8h] BYREF phProv = 0; phHash = 0; phKey = 0; if ( CryptAcquireContextA(&phProv, 0, 0, 0x18u, 0xF0000000) && CryptCreateHash(phProv, 0x8003u, 0, 0, &phHash) && CryptHashData(phHash, pbData, dwDataLen, 0) && CryptDeriveKey(phProv, 0x660Eu, phHash, 1u, &phKey) ) { CryptDecrypt(phKey, 0, 1, 0, a3, pdwDataLen); printf("%s",a3); } if ( phKey ) CryptDestroyKey(phKey); if ( phHash ) CryptDestroyHash(phHash); if ( phProv ) CryptReleaseContext(phProv, 0); } //md5_key,0x10,input,len_input,0x104 int main(){ BYTE input[]={ 0x5B, 0x9C, 0xEE, 0xB2, 0x3B, 0xB7, 0xD7, 0x34, 0xF3, 0x1B, 0x75, 0x14, 0xC6, 0xB2, 0x1F, 0xE8, 0xDE, 0x33, 0x44, 0x74, 0x75, 0x1B, 0x47, 0x6A, 0xD4, 0x37, 0x51, 0x88, 0xFC, 0x67, 0xE6, 0x60}; BYTE key[]={0x5c,0x53,0xa4,0xa4,0x1d,0x52,0x43,0x7a,0x9f,0xa1,0xe9,0xc2,0x6c,0xa5,0x90,0x90}; DWORD len_input=0x20; DWORD dwDataLen = 0x10; DWORD ddwDataLen; DWORD* pdwDataLen = &ddwDataLen; *pdwDataLen = 0x20; de(key,dwDataLen,input,pdwDataLen,(DWORD)0x104); return 0; } - 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
DASCTF{H@sh_a^d_Aes_6y_W1nCrypt}
FakePica
安卓逆向,先查个壳,发现
使用BlackDex进行脱壳,然后用jadx看,逻辑有点乱,搜下
MainActivity
直接定位到主程序
package com.pica.picapica; import android.content.Intent; import android.os.Bundle; import android.view.View; import android.widget.Button; import android.widget.EditText; import android.widget.Toast; import androidx.appcompat.app.AppCompatActivity; import com.pica.picacomic.C0897R; import java.util.Arrays; import javax.crypto.Cipher; import javax.crypto.spec.IvParameterSpec; import javax.crypto.spec.SecretKeySpec; import kotlin.UByte; import kotlin.jvm.internal.ByteCompanionObject; /* loaded from: E:\360MoveData\Users\Administrator\Desktop\com.ppsuc.ppsucctf\cookie_8836564.dex */ public class MainActivity extends AppCompatActivity { Button checkIn; EditText emailInput; EditText passWordInput; private final IvParameterSpec IV_PARAMETER_SPEC = new IvParameterSpec("0102030405060708".getBytes()); byte[] content0 = {-114, 95, -37, ByteCompanionObject.MAX_VALUE, -110, 113, 41, 74, 40, 73, 19, 124, -57, -88, 39, -116, -16, -75, -3, -45, -73, -6, -104, -6, -78, 121, 110, 74, -90, -47, -28, -28}; byte[] content1 = {-40, 26, 95, -49, -40, -123, 72, -90, -100, -41, 122, -4, 25, -101, -58, 116}; String key = "picapicapicapica"; public String encryptIntoHexString(String data, String key) { try { Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding"); cipher.init(1, new SecretKeySpec(key.getBytes(), "AES"), this.IV_PARAMETER_SPEC); return bytesConvertHexString(cipher.doFinal(Arrays.copyOf(data.getBytes(), ((data.getBytes().length / 16) + 1) * 16))); } catch (Exception e) { e.printStackTrace(); return null; } } public String decryptByHexString(String data, String key) { try { Cipher cipher = Cipher.getInstance("AES/CBC/NoPadding"); cipher.init(2, new SecretKeySpec(key.getBytes(), "AES"), this.IV_PARAMETER_SPEC); return new String(cipher.doFinal(hexStringConvertBytes(data.toLowerCase())), "UTF-8"); } catch (Exception e) { e.printStackTrace(); return null; } } private String bytesConvertHexString(byte[] data) { StringBuffer result = new StringBuffer(); for (byte b : data) { String hexString = Integer.toHexString(b & UByte.MAX_VALUE); result.append(hexString.length() == 1 ? "0" + hexString : hexString); } return result.toString().toUpperCase(); } private byte[] hexStringConvertBytes(String data) { int length = data.length() / 2; byte[] result = new byte[length]; for (int i = 0; i < length; i++) { int first = Integer.parseInt(data.substring(i * 2, (i * 2) + 1), 16); int second = Integer.parseInt(data.substring((i * 2) + 1, (i * 2) + 2), 16); result[i] = (byte) ((first * 16) + second); } return result; } /* JADX INFO: Access modifiers changed from: protected */ @Override // androidx.fragment.app.FragmentActivity, androidx.activity.ComponentActivity, androidx.core.app.ComponentActivity, android.app.Activity public void onCreate(Bundle savedInstanceState) { super.onCreate(savedInstanceState); setContentView(C0897R.layout.activity_main); Intent intent = new Intent(); intent.setClass(this, MainActivity2.class); this.emailInput = (EditText) findViewById(C0897R.C0900id.emailInput); this.passWordInput = (EditText) findViewById(C0897R.C0900id.passWordInput); Button button = (Button) findViewById(C0897R.C0900id.login); this.checkIn = button; button.setOnClickListener(new View.OnClickListener() { // from class: com.pica.picapica.MainActivity.1 @Override // android.view.View.OnClickListener public void onClick(View view) { MainActivity mainActivity = MainActivity.this; if (mainActivity.check(mainActivity.emailInput.getText().toString().trim(), MainActivity.this.passWordInput.getText().toString().trim())) { Toast.makeText(MainActivity.this, "登录成功", 0).show(); try { Thread.sleep(1000L); } catch (InterruptedException e) { e.printStackTrace(); } Intent intent2 = new Intent(); intent2.setClass(MainActivity.this, MainActivity2.class); MainActivity.this.startActivity(intent2); } } }); } public boolean check(String email, String passWord) { byte[] cryData = hexStringConvertBytes(encryptIntoHexString(email, this.key)); byte[] cryPW = hexStringConvertBytes(encryptIntoHexString(passWord, this.key)); if (!Arrays.equals(cryData, this.content0) || !Arrays.equals(cryPW, this.content1)) { return false; } return true; } }- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
使用了AES的CBC模式
直接解就好了
from Crypto.Cipher import AES def dn(text): EN_CODE= AES.new(b"picapicapicapica", AES.MODE_CBC, b"0102030405060708") dec = EN_CODE.decrypt(text) print(dec) password = [-40, 26, 95, -49, -40, -123, 72, -90, -100, -41, 122, -4, 25, -101, -58, 116] email = [-114, 95, -37, 127, -110, 113, 41, 74, 40, 73, 19, 124, -57, -88, 39, -116, -16, -75, -3, -45, -73, -6, -104, -6, -78, 121, 110, 74, -90, -47, -28, -28] content0 =bytes([i&0xff for i in password]) content01 = bytes([i&0xff for i in email]) dn(content0 ) dn(content01) # b'picacomic\x00\x00\x00\x00\x00\x00\x00' # b'picacomic@gmail.com\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00'- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
奇怪的交易
文件有点大,upx先脱个壳
py文件打包,把源码弄下
# visit https://tool.lu/pyc/ for more information # Version: Python 3.10 from cup import * if __name__ == '__main__': flag = input('\xe8\xaf\xb7\xe8\xbe\x93\xe5\x85\xa5flag') pub_key = [ 0x649EE967E7916A825CC9FD3320BEABF263BEAC68C080F52824A0F521EDB6B78577EC52BF1C9E78F4BB71192F9A23F1A17AA76E5979E4D953329D3CA65FB4A71DA57412B59DFD6AEDF0191C5555D3E5F582B81B5E6B23163E9889204A81AFFDF119FE25C92F4ED59BD3285BCD7AAE14824240D2E33C5A97848F4EB7AAC203DE6330D2B4D8FF61691544FBECD120F99A157B3D2F58FA51B2887A9D06CA383C44D071314A12B17928B96F03A06E959A5AFEFA0183664F52CD32B9FC72A04B45913FCB2D5D2D3A415A14F611CF1EAC2D6C785142A8E9CC41B67A6CD85001B06EDB8CA767D367E56E0AE651491BF8A8C17A38A1835DB9E4A9292B1D86D5776C98CC25L, 0x647327833ACFEF1F9C83E74E171FC300FA347D4A6769476C33DA82C95120ACB38B62B33D429206FE6E9BB0BB7AB748A1036971BEA36EC47130B749C1C9FF6FE03D0F7D9FC5346EB0E575BDFA6C530AA57CD676894FC080D2DD049AB59625F4B9C78BCFD95CDCD2793E440E26E189D251121CB6EB177FEDB596409034E8B0C5BBD9BD9342235DBB226C9170EFE347FF0FD2CFF9A1F7B647CC83E4D8F005FD7125A89251C768AFE70BDD54B88116814D5030F499BCAC4673CCCC342FB4B6AC58EA5A64546DC25912B6C430529F6A7F449FD96536DE269D1A1B015A4AC6B6E46EE19DCE8143726A6503E290E4BAE6BD78319B5878981F6CFFDB3B818209341FD68BL] m = libnum.s2n(flag) c = str(pow(m, pub_key[1], pub_key[0])) ᘡ = [] ᘙ = [ 0xD28ED952L, 1472742623, 0xD91BA938L, 0xF9F3BD2DL, 0x8EF8E43DL, 617653972, 1474514999, 1471783658, 1012864704, 0xD7821910L, 993855884, 438456717, 0xC83555B7L, 0xE8DFF468L, 198959101, 0xC5B84FEBL, 0xD9F837C6L, 613157871, 0x8EFA4EDDL, 97286225, 0x8B4B608CL, 1471645170, 0xC0B62792L, 583597118, 0xAAB1C22DL, 0xBDB9C266L, 1384330715, 0xAE9F9816L, 0xD1F40B3CL, 0x8206DDC3L, 0xC4E0BADCL, 0xE407BD26L, 145643141, 0x8016C6A5L, 0xAF4AB9D3L, 506798154, 994590281, 0x85082A0BL, 0xCA0BC95AL, 0xA7BE567CL, 1105937096, 1789727804, 0xDFEFB591L, 0x93346B38L, 1162286478, 680814033, 0xAEE1A7A2L, 0x80E574AEL, 0xF154F55FL, 2121620700, 0xFCBDA653L, 0x8E902444L, 0xCA742E12L, 0xB8424071L, 0xB4B15EC2L, 0x943BFA09L, 0xBC97CD93L, 1285603712, 798920280, 0x8B58328FL, 0xF9822360L, 0xD1FD15EEL, 1077514121, 1436444106, 0xA2D6C17EL, 1507202797, 500756149, 198754565, 0x8E014807L, 880454148, 1970517398, 0xBFC6EE25L, 1161840191, 560498076, 1782600856, 0x9D93FEBEL, 1285196205, 788797746, 1195724574, 0xF2174A07L, 103427523, 0x952BFE83L, 0xF730AC4CL, 617564657, 978211984, 1781482121, 0x8379D23AL, 0xEAD737EEL, 0xE41555FBL, 659557668, 0x99F3B244L, 1561884856, 0x842C31A4L, 1189296962, 169145316, 0xA5CE044CL, 1323893433, 824667876, 408202876, 0xE0178482L, 0xF412BBBCL, 1508996065, 162419237, 0xDE740B00L, 0xB7CB64FDL, 0xEBCADB1FL, 0x8EAE2326L, 0x933C216CL, 0xD7D1F649L, 481927014, 0xA448AC16L, 0xBC082807L, 1261069441, 2063238535, 0x8474A61DL, 101459755, 0xBC5654D1L, 1721190841, 1078395785, 176506553, 0xD3C5280FL, 1566142515, 1938949000, 1499289517, 0xC59872F8L, 829714860, 0xE51502A2L, 952932374, 1283577465, 2045007203, 0xEBE6A798L, 0xE09575CDL, 0xADDF4157L, 0xC4770191L, 482297421, 1734231412, 0xDAC71054L, 0x99807E43L, 0xA88D74B1L, 0xCB77E028L, 1533519803, 0xEEEBC3B6L, 0xE7E680E5L, 272960248, 317508587, 0xC4B10CDCL, 0x91776399L, 27470488, 1666674386, 1737927609, 750987808, 0x8E364D8FL, 0xA0985A77L, 562925334, 0x837D6DC3L] i = 0 if i < len(c): ᘞ = 0 for ii in c[i:i + 4]: ᘞ = (ᘞ << 8) + ord(ii) ᘡ.append(ᘞ) i += 4 if not i < len(c): ᘝ = [ 54, 54, 54, 54] ᘠ = len(ᘡ) res = encrypt(ᘠ, ᘡ, ᘝ) if ᘡ == ᘙ: print('You are right!') input('') quit() else: print('Why not drink a cup of tea and have a rest?') continue- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
- 74
- 75
- 76
- 77
- 78
- 79
- 80
- 81
- 82
- 83
- 84
- 85
- 86
- 87
- 88
- 89
- 90
- 91
- 92
- 93
- 94
- 95
- 96
- 97
- 98
- 99
- 100
- 101
- 102
- 103
- 104
- 105
- 106
- 107
- 108
- 109
- 110
- 111
- 112
- 113
- 114
- 115
- 116
- 117
- 118
- 119
- 120
- 121
- 122
- 123
- 124
- 125
- 126
- 127
- 128
- 129
- 130
- 131
- 132
- 133
- 134
- 135
- 136
- 137
- 138
- 139
- 140
- 141
- 142
- 143
- 144
- 145
- 146
- 147
- 148
- 149
- 150
- 151
- 152
- 153
- 154
- 155
- 156
- 157
- 158
- 159
- 160
- 161
- 162
- 163
- 164
- 165
- 166
- 167
- 168
- 169
- 170
- 171
- 172
- 173
- 174
- 175
- 176
- 177
- 178
- 179
- 180
- 181
- 182
- 183
- 184
- 185
- 186
- 187
- 188
- 189
- 190
encrypt函数在cup库里,被加密了
然后寄了,后面看别人的wp
原因是在https://mp.weixin.qq.com/s?__biz=Mzg3ODY3MzcwMQ==&mid=2247485017&idx=1&sn=8e44e93039c97980727bfb0105688e4d&chksm=cf116c13f866e505deb831f0492ed2e3ef2b81a765e743595302c24097ddfea5491d9fa9cb9c&scene=126&sessionid=1642907039&key=e2a2ab8e639837ac5cd2a0b1bc98e231dbf49bf6d9077de26a92de6a4f8d5530b46168a7e80d35a97461dfe3351b1e172fa3116bf09c6945342a32e2ef192403aa29ac4ae528cc28ffbfb3758ed2c1abedaba4bb5aad8da6ab9211fa4400803f2983d0d560719994989f1b8e9d1d38629a939b85c95bd36c58d633126b159c63&ascene=1&uin=NTY2NTA4NjQ%3D&devicetype=Windows+Server+2016+x64&version=6304051b&lang=zh_CN&exportkey=Awy1d033RrNUGWM%2
这里面有写了,带了key
根据文章中例子,我们找到pyimod00_crypto_key文件
#!/usr/bin/env python # visit https://tool.lu/pyc/ for more information # Version: Python 3.10 key = '0000000000000tea'- 1
- 2
- 3
- 4
- 5
- 6
使用如下脚本
import tinyaes import zlib CRYPT_BLOCK_SIZE = 16 # 从crypt_key.pyc获取key,也可自行反编译获取 key = bytes('0000000000000tea', 'utf-8') inf = open('cup.pyc.encrypted', 'rb') # 打开加密文件 outf = open('output.pyc', 'wb') # 输出文件 # 按加密块大小进行读取 iv = inf.read(CRYPT_BLOCK_SIZE) cipher = tinyaes.AES(key, iv) # 解密 plaintext = zlib.decompress(cipher.CTR_xcrypt_buffer(inf.read())) # 补pyc头(最后自己补也行) outf.write(b'\x6f\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0') # 写入解密数据 outf.write(plaintext) inf.close() outf.close()- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
然后就可以了
#!/usr/bin/env python # visit https://tool.lu/pyc/ for more information import libnum from ctypes import * def MX(z, y, total, key, p, e): temp1 = (z.value >> 5 ^ y.value << 2) + (y.value >> 3 ^ z.value << 4) temp2 = (total.value ^ y.value) + (key[p & 3 ^ e.value] ^ z.value) return c_uint32(temp1 ^ temp2) def encrypt(ᘗ, ᘖ, ᘘ): ᘜ = 0x9E3779B9L ᘛ = 6 + 52 // ᘗ total = c_uint32(0) ᘔ = c_uint32(ᘖ[ᘗ - 1]) ᘕ = c_uint32(0) if ᘛ > 0: total.value += ᘜ ᘕ.value = total.value >> 2 & 3 ᘚ = c_uint32(ᘖ[0]) ᘖ[ᘗ - 1] = c_uint32(ᘖ[ᘗ - 1] + MX(ᘔ, ᘚ, total, ᘘ, ᘗ - 1, ᘕ).value).value ᘔ.value = ᘖ[ᘗ - 1] ᘛ -= 1 if not ᘛ > 0: return ᘖ- 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
xxtea加密
#include#include #define KEYLEN 4 #define DELTA 0x9e3779b9 #define LUN 32 void Encrypt(unsigned int * v, unsigned int * k); void Decrypt(unsigned int * v, unsigned int * k); #define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z))) void btea(uint32_t *v, int n, uint32_t const key[4]) { uint32_t y, z, sum; unsigned p, rounds, e; if (n > 1) /* Coding Part */ { rounds = 6 + 52/n; sum = 0; z = v[n-1]; do { sum += DELTA; e = (sum >> 2) & 3; for (p=0; p<n-1; p++) { y = v[p+1]; z = v[p] += MX; } y = v[0]; z = v[n-1] += MX; } while (--rounds); } else if (n < -1) /* Decoding Part */ { n = -n; rounds = 6 + 52/n; sum = rounds*DELTA; y = v[0]; do { e = (sum >> 2) & 3; for (p=n-1; p>0; p--) { z = v[p-1]; y = v[p] -= MX; } z = v[n-1]; y = v[0] -= MX; sum -= DELTA; } while (--rounds); } } int main(void) { uint32_t v[] = { 0xD28ED952, 1472742623, 0xD91BA938, 0xF9F3BD2D, 0x8EF8E43D, 617653972, 1474514999, 1471783658, 1012864704, 0xD7821910, 993855884, 438456717, 0xC83555B7, 0xE8DFF468, 198959101, 0xC5B84FEB, 0xD9F837C6, 613157871, 0x8EFA4EDD, 97286225, 0x8B4B608C, 1471645170, 0xC0B62792, 583597118, 0xAAB1C22D, 0xBDB9C266, 1384330715, 0xAE9F9816, 0xD1F40B3C, 0x8206DDC3, 0xC4E0BADC, 0xE407BD26, 145643141, 0x8016C6A5, 0xAF4AB9D3, 506798154, 994590281, 0x85082A0B, 0xCA0BC95A, 0xA7BE567C, 1105937096, 1789727804, 0xDFEFB591, 0x93346B38, 1162286478, 680814033, 0xAEE1A7A2, 0x80E574AE, 0xF154F55F, 2121620700, 0xFCBDA653, 0x8E902444, 0xCA742E12, 0xB8424071, 0xB4B15EC2, 0x943BFA09, 0xBC97CD93, 1285603712, 798920280, 0x8B58328F, 0xF9822360, 0xD1FD15EE, 1077514121, 1436444106, 0xA2D6C17E, 1507202797, 500756149, 198754565, 0x8E014807, 880454148, 1970517398, 0xBFC6EE25, 1161840191, 560498076, 1782600856, 0x9D93FEBE, 1285196205, 788797746, 1195724574, 0xF2174A07, 103427523, 0x952BFE83, 0xF730AC4C, 617564657, 978211984, 1781482121, 0x8379D23A, 0xEAD737EE, 0xE41555FB, 659557668, 0x99F3B244, 1561884856, 0x842C31A4, 1189296962, 169145316, 0xA5CE044C, 1323893433, 824667876, 408202876, 0xE0178482, 0xF412BBBC, 1508996065, 162419237, 0xDE740B00, 0xB7CB64FD, 0xEBCADB1F, 0x8EAE2326, 0x933C216C, 0xD7D1F649, 481927014, 0xA448AC16, 0xBC082807, 1261069441, 2063238535, 0x8474A61D, 101459755, 0xBC5654D1, 1721190841, 1078395785, 176506553, 0xD3C5280F, 1566142515, 1938949000, 1499289517, 0xC59872F8, 829714860, 0xE51502A2, 952932374, 1283577465, 2045007203, 0xEBE6A798, 0xE09575CD, 0xADDF4157, 0xC4770191, 482297421, 1734231412, 0xDAC71054, 0x99807E43, 0xA88D74B1, 0xCB77E028, 1533519803, 0xEEEBC3B6, 0xE7E680E5, 272960248, 317508587, 0xC4B10CDC, 0x91776399, 27470488, 1666674386, 1737927609, 750987808, 0x8E364D8F, 0xA0985A77, 562925334, 0x837D6DC3, 0 }; uint32_t k[] = { 54, 54, 54, 54 }; int i, index; int n = 155; btea(v, -n, k); unsigned char * p = (unsigned char *)v; for ( i = 0, index = 0; index < n; i += 4, index++ ) printf("%c%c%c%c", p[i + 3], p[i + 2], p[i + 1], p[i]); return 0; } - 1
- 2
- 3
- 4
- 5
- 6
- 7
- 8
- 9
- 10
- 11
- 12
- 13
- 14
- 15
- 16
- 17
- 18
- 19
- 20
- 21
- 22
- 23
- 24
- 25
- 26
- 27
- 28
- 29
- 30
- 31
- 32
- 33
- 34
- 35
- 36
- 37
- 38
- 39
- 40
- 41
- 42
- 43
- 44
- 45
- 46
- 47
- 48
- 49
- 50
- 51
- 52
- 53
- 54
- 55
- 56
- 57
- 58
- 59
- 60
- 61
- 62
- 63
- 64
- 65
- 66
- 67
- 68
- 69
- 70
- 71
- 72
- 73
flag{You_Need_Some_Tea}
-
相关阅读:
聊聊网络编程中的粘包、拆包、半包、编解码
【stm32】DAC输出三角波锯齿波
CodeTON Round 6 (Div. 1 + Div. 2, Rated, Prizes!)C - Colorful Table
自动创建设备节点udev机制实现
通宵一晚做出来的一款类似CS的第一人称射击游戏Demo!原来做游戏也不是很难,连憨憨学妹都学会了!
Elasticsearch:搜索架构
【毕业设计】远程智能浇花灌溉系统 - stm32 单片机 嵌入式 物联网
【曹工杂谈】Mysql-Connector-Java时区问题的一点理解--写入数据库的时间总是晚13小时问题
【mysql是怎样运行的】- 启动项、系统变量、状态变量(mysql客户端连接就是一个会话连接)
Linux——Linux驱动之iMX6ULL硬件平台下使用MfgTool工具进行系统烧写的原理及步骤总结(uboot、kernel、dtb、rootfs)
- 原文地址:https://blog.csdn.net/a257131460266666/article/details/126413158
