前两天刚打完的 starctf, 可真是坐牢呀,比赛期间出了三题,赛后终于又弄出来了一题.
GoGpt就是常规的 go 语言逆向,看题目描述,题目是 chatGPT 出的,哈哈 AI 竟然也能出题了,不过终究还是简单题呀~
flagfile这题有点意思,用了linux中的file -m命令可以自定义magic file的特点,来检测一个文件的每一个字节是否符合魔数文件中的规则的匹配,来判断是否为正确的 flag, 做完这题之后猛然发现,原来有规则的地方就有逆向!
ez_code用到了 powershell 特殊符号混淆,多亏看雪上的一篇文章,看到下面的一条评论大家好好学习一番,说不定哪次ctf就来这种。简直蚌埠住了,这种混淆一般都是为了免杀,不知道下次遇到别的混淆还能不能做出来,不过基本上都是万变不离其宗的~
boring cipher可真是做的折磨,rust 逆向还好,毕竟经历了过去许多 go 逆向的非人的折磨,看到 rust 和 go 相比简直就是小巫见大巫了,于是很快就把正向代码给写出来了,接下来的任务就是去写逆向脚本,一开始我向区区逆向脚本,看我直接从正向代码给逆推出来!然后发现… 可恶,根本就没有可逆的点!后来想起来神奇的z3, 我直接z3把这题一把梭了,虽说恶补了许多许多的z3小技巧,然而并没有什么用… 我一度以为是z3脚本运行的时间不够,所以等呀等呀,知道这脚本把我 C 盘空间耗尽了还没有出,后来我转战虚拟机,在虚拟机里面跑这个代码,一直盯着电脑屏幕到凌晨六点,还是出不了 flag/(ㄒ o ㄒ)/~ 崩溃啊。在starctf结束后的那一天,我又看了一整天的boring cipher, 终于我发现了正向代码中那个超大的常数数组似乎另有玄机,一番分析之后,终于出 flag 了
题目附件: 点击下载
# GoGpt
IDA 打开,发现从 0x45FE80 开始的汇编没有识别出来
那就按下 Alt+L 选中没有识别出来的地方,然后按下 C 对 .text 段重新识别
然后用 IDAGolangHelper_SupportGo1.20 恢复一下函数符号
找到 main_main 函数,发现是简单的异或 + base64
动调发现异或的字符串是有变化的
exp 如下
import base64 | |
str = b"fiAGBkgXN3McFy9hAHRfCwYaIjQCRDFsXC8ZYBFmEDU=" | |
# xor_str = b"cH@t_GpT_15_h3R3" | |
xor_str = b"TcR@3t_3hp_5_G1H" | |
ss = base64.b64decode(str) | |
# print(ss) | |
for index,ch in enumerate(ss): | |
print(chr(ch^xor_str[index%16]),end='') | |
# *CTF{ch@tgpT_3nCRypt10n_4_FUN!!} |
# flagfile
先看一下看一眼附件中的 readme.txt
generate your own flag file, verify using `file` command like this: | |
$ file -m flag.mgc flag | |
flag: yes, it's a flag! | |
$ file --version | |
file-5.41 | |
magic file from /usr/share/file/magic |
那看看 file -m 是命令是什么意思,原来可以自己写规则来匹配那些文件是什么类型的
oacia@oacia-virtual-machine:~/Desktop/flagfile$ file --help | |
Usage: file [OPTION...] [FILE...] | |
Determine type of FILEs. | |
--help display this help and exit | |
-v, --version output version information and exit | |
-m, --magic-file LIST use LIST as a colon-separated list of magic | |
number files |
然后去 github 把 file5.4.1 的源代码下过来看看
关键需要看懂 file.h 里面对于结构体 magic 的定义
union VALUETYPE { | |
uint8_t b; | |
uint16_t h; | |
uint32_t l; | |
uint64_t q; | |
uint8_t hs[2]; /* 2 bytes of a fixed-endian "short" */ | |
uint8_t hl[4]; /* 4 bytes of a fixed-endian "long" */ | |
uint8_t hq[8]; /* 8 bytes of a fixed-endian "quad" */ | |
char s[MAXstring]; /* the search string or regex pattern */ | |
unsigned char us[MAXstring]; | |
uint64_t guid[2]; | |
float f; | |
double d; | |
}; | |
struct magic { | |
/* Word 1 */ | |
uint16_t cont_level; /* level of ">" */ | |
uint8_t flag; | |
#define INDIR 0x01 /* if '(...)' appears */ | |
#define OFFADD 0x02 /* if '>&' or '>...(&' appears */ | |
#define INDIROFFADD 0x04 /* if '>&(' appears */ | |
#define UNSIGNED 0x08 /* comparison is unsigned */ | |
#define NOSPACE 0x10 /* suppress space character before output */ | |
#define BINTEST 0x20 /* test is for a binary type (set only | |
for top-level tests) */ | |
#define TEXTTEST 0x40 /* for passing to file_softmagic */ | |
#define OFFNEGATIVE 0x80 /* relative to the end of file */ | |
uint8_t factor; | |
/* Word 2 */ | |
uint8_t reln; /* relation (0=eq, '>'=gt, etc) */ | |
uint8_t vallen; /* length of string value, if any */ | |
uint8_t type; /* comparison type (FILE_*) */ | |
uint8_t in_type; /* type of indirection */ | |
#define FILE_INVALID 0 | |
#define FILE_BYTE 1 | |
#define FILE_SHORT 2 | |
#define FILE_DEFAULT 3 | |
#define FILE_LONG 4 | |
#define FILE_STRING 5 | |
#define FILE_DATE 6 | |
#define FILE_BESHORT 7 | |
#define FILE_BELONG 8 | |
#define FILE_BEDATE 9 | |
#define FILE_LESHORT 10 | |
#define FILE_LELONG 11 | |
#define FILE_LEDATE 12 | |
#define FILE_PSTRING 13 | |
#define FILE_LDATE 14 | |
#define FILE_BELDATE 15 | |
#define FILE_LELDATE 16 | |
#define FILE_REGEX 17 | |
#define FILE_BESTRING16 18 | |
#define FILE_LESTRING16 19 | |
#define FILE_SEARCH 20 | |
#define FILE_MEDATE 21 | |
#define FILE_MELDATE 22 | |
#define FILE_MELONG 23 | |
#define FILE_QUAD 24 | |
#define FILE_LEQUAD 25 | |
#define FILE_BEQUAD 26 | |
#define FILE_QDATE 27 | |
#define FILE_LEQDATE 28 | |
#define FILE_BEQDATE 29 | |
#define FILE_QLDATE 30 | |
#define FILE_LEQLDATE 31 | |
#define FILE_BEQLDATE 32 | |
#define FILE_FLOAT 33 | |
#define FILE_BEFLOAT 34 | |
#define FILE_LEFLOAT 35 | |
#define FILE_DOUBLE 36 | |
#define FILE_BEDOUBLE 37 | |
#define FILE_LEDOUBLE 38 | |
#define FILE_BEID3 39 | |
#define FILE_LEID3 40 | |
#define FILE_INDIRECT 41 | |
#define FILE_QWDATE 42 | |
#define FILE_LEQWDATE 43 | |
#define FILE_BEQWDATE 44 | |
#define FILE_NAME 45 | |
#define FILE_USE 46 | |
#define FILE_CLEAR 47 | |
#define FILE_DER 48 | |
#define FILE_GUID 49 | |
#define FILE_OFFSET 50 | |
#define FILE_BEVARINT 51 | |
#define FILE_LEVARINT 52 | |
#define FILE_NAMES_SIZE 53 /* size of array to contain all names */ | |
#define IS_STRING(t) \ | |
((t) == FILE_STRING || \ | |
(t) == FILE_PSTRING || \ | |
(t) == FILE_BESTRING16 || \ | |
(t) == FILE_LESTRING16 || \ | |
(t) == FILE_REGEX || \ | |
(t) == FILE_SEARCH || \ | |
(t) == FILE_INDIRECT || \ | |
(t) == FILE_NAME || \ | |
(t) == FILE_USE) | |
#define FILE_FMT_NONE 0 | |
#define FILE_FMT_NUM 1 /* "cduxXi" */ | |
#define FILE_FMT_STR 2 /* "s" */ | |
#define FILE_FMT_QUAD 3 /* "ll" */ | |
#define FILE_FMT_FLOAT 4 /* "eEfFgG" */ | |
#define FILE_FMT_DOUBLE 5 /* "eEfFgG" */ | |
/* Word 3 */ | |
uint8_t in_op; /* operator for indirection */ | |
uint8_t mask_op; /* operator for mask */ | |
#ifdef ENABLE_CONDITIONALS | |
uint8_t cond; /* conditional type */ | |
#else | |
uint8_t dummy; | |
#endif | |
uint8_t factor_op; | |
#define FILE_FACTOR_OP_PLUS '+' | |
#define FILE_FACTOR_OP_MINUS '-' | |
#define FILE_FACTOR_OP_TIMES '*' | |
#define FILE_FACTOR_OP_DIV '/' | |
#define FILE_FACTOR_OP_NONE '\0' | |
#define FILE_OPS "&|^+-*/%" | |
#define FILE_OPAND 0 | |
#define FILE_OPOR 1 | |
#define FILE_OPXOR 2 | |
#define FILE_OPADD 3 | |
#define FILE_OPMINUS 4 | |
#define FILE_OPMULTIPLY 5 | |
#define FILE_OPDIVIDE 6 | |
#define FILE_OPMODULO 7 | |
#define FILE_OPS_MASK 0x07 /* mask for above ops */ | |
#define FILE_UNUSED_1 0x08 | |
#define FILE_UNUSED_2 0x10 | |
#define FILE_OPSIGNED 0x20 | |
#define FILE_OPINVERSE 0x40 | |
#define FILE_OPINDIRECT 0x80 | |
#ifdef ENABLE_CONDITIONALS | |
#define COND_NONE 0 | |
#define COND_IF 1 | |
#define COND_ELIF 2 | |
#define COND_ELSE 3 | |
#endif /* ENABLE_CONDITIONALS */ | |
/* Word 4 */ | |
int32_t offset; /* offset to magic number */ | |
/* Word 5 */ | |
int32_t in_offset; /* offset from indirection */ | |
/* Word 6 */ | |
uint32_t lineno; /* line number in magic file */ | |
/* Word 7,8 */ | |
union { | |
uint64_t _mask; /* for use with numeric and date types */ | |
struct { | |
uint32_t _count; /* repeat/line count */ | |
uint32_t _flags; /* modifier flags */ | |
} _s; /* for use with string types */ | |
} _u; | |
#define num_mask _u._mask | |
#define str_range _u._s._count | |
#define str_flags _u._s._flags | |
/* Words 9-24 */ | |
union VALUETYPE value; /* either number or string */ | |
/* Words 25-40 */ | |
char desc[MAXDESC]; /* description */ | |
/* Words 41-60 */ | |
char mimetype[MAXMIME]; /* MIME type */ | |
/* Words 61-62 */ | |
char apple[8]; /* APPLE CREATOR/TYPE */ | |
/* Words 63-78 */ | |
char ext[64]; /* Popular extensions */ | |
}; |
用 010editor 看一下 flag.mgc , 我们需要做是就是将 flag.mgc 中的字节和结构体 magic 中的结构体成员一一对应起来,然后分析每一个字节对应的含义
我们要从 0x178 处为偏移去读取大小为 sizeof(struct magic) 的内存,如果说怎么知道的话,你看这个字符串 flag{ 是否特别突出,然后从 0x178 开始的一个 word 才不全为 0, 能不让人遐想这偏移不是从这儿开始的嘛~
int main(){ | |
FILE *fp = fopen("./flag.mgc","rb"); | |
struct magic buffer[100]; | |
fseek(fp,0x178,SEEK_SET); | |
fread(buffer,sizeof(struct magic),0x42,fp); | |
} |
于是乎, buffer 就包含了这个 flag.mgc 的所有的重要内容,我们打印一下内容看看
void print_buffer(struct magic buffer,int index){ | |
printf("buffer[%d]->cont_level = 0x%x\n",index,buffer.cont_level); | |
printf("buffer[%d]->flag = 0x%x\n",index,buffer.flag); | |
printf("buffer[%d]->factor = 0x%x\n",index,buffer.factor); | |
printf("buffer[%d]->reln = 0x%x\n",index,buffer.reln); | |
printf("buffer[%d]->vallen = 0x%x\n",index,buffer.vallen); | |
printf("buffer[%d]->type = 0x%x\n",index,buffer.type); | |
printf("buffer[%d]->in_type = 0x%x\n",index,buffer.in_type); | |
printf("buffer[%d]->in_op = 0x%x\n",index,buffer.in_op); | |
printf("buffer[%d]->mask_op = 0x%x\n",index,buffer.mask_op); | |
printf("buffer[%d]->dummy = 0x%x\n",index,buffer.dummy); | |
printf("buffer[%d]->factor_op = 0x%x\n",index,buffer.factor_op); | |
printf("buffer[%d]->offset = 0x%x\n",index,buffer.offset); | |
printf("buffer[%d]->in_offset = 0x%x\n",index,buffer.in_offset); | |
printf("buffer[%d]->lineno = 0x%x\n",index,buffer.lineno); | |
printf("buffer[%d]->num_mask = 0x%x\n",index,buffer.num_mask); | |
printf("buffer[%d]->str_range = 0x%x\n",index,buffer.str_range); | |
printf("buffer[%d]->str_flags = 0x%x\n",index,buffer.str_flags); | |
if(buffer.type==5){ | |
printf("buffer[%d]->value = \"%s\"\n",index,buffer.value); | |
} | |
else{ | |
printf("buffer[%d]->value = 0x%x\n",index,buffer.value); | |
} | |
printf("buffer[%d]->desc = \"%s\"\n",index,buffer.desc); | |
printf("buffer[%d]->mimetype = \"%s\"\n",index,buffer.mimetype); | |
printf("buffer[%d]->apple = \"%s\"\n",index,buffer.apple); | |
printf("buffer[%d]->ext = \"%s\"\n\n",index,buffer.ext); | |
} |
挑几个有代表性的分析一下
| member | 说明 | buffer[0] | buffer[1] | buffer[33] |
|---|---|---|---|---|
| cont_level | level of “>” | 0x0 | 0x1 | 0x21 |
| flag | 0x0 表示无特殊情况,0x1 表示’(…)' 出现在规则中 | 0x20 | 0x0 | 0x1 |
| factor | 0x0 | 0x0 | 0x0 | |
| reln | relation (0=eq, ‘>’=gt, etc), | = |
= |
= |
| vallen | 如果类型为字符串, vallen 表示字符串的长度 |
0x5 | 0x0 | 0x0 |
| type | comparison type (FILE_*),0x5 代表 FILE_STRING (字符串类型),0xa 代表 FILE_LESHORT (short 类型,占用 2 字节),0x1 代表 FILE_BYTE (byte 类型,占用 1 字节) | 0x5 | 0xa | 0x1 |
| in_type | type of indirection, 即间接引用的数据的类型,0x1 代表间接引用的数据类型为 FILE_BYTE (byte 类型,占用 1 字节) | 0x0 | 0x0 | 0x1 |
| in_op | operator for indirection | 0x0 | 0x0 | 0x0 |
| mask_op | operator for mask, 对照结构体定义,0x2 表示 FILE_OPXOR , 即异或操作 |
0x0 | 0x2 | 0x2 |
| dummy | 0x0 | 0x0 | 0x0 | |
| factor_op | 0x0 | 0x0 | 0x0 | |
| offset | 相对于 magic number 的偏移 | 0x0 | 0x40 | 0x40 |
| in_offset | offset from indirection | 0x0 | 0x0 | 0x0 |
| lineno | line number in magic file | 0x1 | 0x2 | 0x22 |
| num_mask | 存储的值为经过操作符操作之后的数值,如此处对于 buffer [1] 中的数进行了异或操作,那么异或的数即为 0x76 | 0x0 | 0x76 | 0xffffff8a |
| value | 存储的是最终要进行数字或字符串比较要用到的值,由于 value 为 union 联合体类型,所以输出数据时首先要通过 type 来判断存储的数值的类型是什么,然后再进行输出 |
“flag{” | 0x6f | 0xec |
| desc | “” | “” | “” | |
| mimetype | “” | “” | “” | |
| apple | “” | “” | “” | |
由此我们便知道了 buffer[1]~buffer[32] 的作用是为为一块内存地址赋值
对于 buffer[1] , 这条规则规定了 memory[buffer[1].offset]^buffer[1].num_mask=buffer[1].value.h
而对于 buffer[33]~buffer[64] , 由于间接引用类型 buffer[33].in_type 是 0x1 , 所以我们必须思考是哪个地方使用了间接引用,我们注意到它的 buffer[33].flag 值为 0x1 , 说明了存在 (...) , 那么括号内即被间接调用的数据,还记得我们曾在 buffer[1]~buffer[32] 为一块内存地址赋过值,所以现在这里就要收回上面埋下的伏笔,间接引用的就是那块内存中的值,而且我们注意到 buffer[1].offset==buffer[33].offset==0x40 , 假想如果偏移都不一样,怎么可能会取到相对应的值呢?而它的作用就是和最终的 flag 的每一位进行比较,所以规则是这样的: buffer[33].value.b^buffer[33].num_mask==flag[memory[buffer[33].offset]] , 以此来判断 flag 是否正确
分析完毕之后,我们就可以写出 exp 来了
#include<stdio.h> | |
#ifndef __int8_t_defined | |
# define __int8_t_defined | |
typedef signed char int8_t; | |
typedef short int int16_t; | |
typedef int int32_t; | |
# if __WORDSIZE == 64 | |
typedef long int int64_t; | |
# else | |
__extension__ | |
typedef long long int int64_t; | |
# endif | |
#endif | |
typedef unsigned char uint8_t; | |
typedef unsigned short int uint16_t; | |
#ifndef __uint32_t_defined | |
typedef unsigned int uint32_t; | |
# define __uint32_t_defined | |
#endif | |
#if __WORDSIZE == 64 | |
typedef unsigned long int uint64_t; | |
#else | |
__extension__ | |
typedef unsigned long long int uint64_t; | |
#endif | |
#define MAXDESC 64 /* max len of text description/MIME type */ | |
#define MAXMIME 80 /* max len of text MIME type */ | |
#define MAXstring 128 /* max len of "string" types */ | |
#define MAGIC_SETS 2 | |
union VALUETYPE { | |
uint8_t b; | |
uint16_t h; | |
uint32_t l; | |
uint64_t q; | |
uint8_t hs[2]; /* 2 bytes of a fixed-endian "short" */ | |
uint8_t hl[4]; /* 4 bytes of a fixed-endian "long" */ | |
uint8_t hq[8]; /* 8 bytes of a fixed-endian "quad" */ | |
char s[MAXstring]; /* the search string or regex pattern */ | |
unsigned char us[MAXstring]; | |
uint64_t guid[2]; | |
float f; | |
double d; | |
}; | |
struct magic { | |
/* Word 1 */ | |
uint16_t cont_level; /* level of ">" */ | |
uint8_t flag; | |
#define INDIR 0x01 /* if '(...)' appears */ | |
#define OFFADD 0x02 /* if '>&' or '>...(&' appears */ | |
#define INDIROFFADD 0x04 /* if '>&(' appears */ | |
#define UNSIGNED 0x08 /* comparison is unsigned */ | |
#define NOSPACE 0x10 /* suppress space character before output */ | |
#define BINTEST 0x20 /* test is for a binary type (set only | |
for top-level tests) */ | |
#define TEXTTEST 0x40 /* for passing to file_softmagic */ | |
#define OFFNEGATIVE 0x80 /* relative to the end of file */ | |
uint8_t factor; | |
/* Word 2 */ | |
uint8_t reln; /* relation (0=eq, '>'=gt, etc) */ | |
uint8_t vallen; /* length of string value, if any */ | |
uint8_t type; /* comparison type (FILE_*) */ | |
uint8_t in_type; /* type of indirection */ | |
#define FILE_INVALID 0 | |
#define FILE_BYTE 1 | |
#define FILE_SHORT 2 | |
#define FILE_DEFAULT 3 | |
#define FILE_LONG 4 | |
#define FILE_STRING 5 | |
#define FILE_DATE 6 | |
#define FILE_BESHORT 7 | |
#define FILE_BELONG 8 | |
#define FILE_BEDATE 9 | |
#define FILE_LESHORT 10 | |
#define FILE_LELONG 11 | |
#define FILE_LEDATE 12 | |
#define FILE_PSTRING 13 | |
#define FILE_LDATE 14 | |
#define FILE_BELDATE 15 | |
#define FILE_LELDATE 16 | |
#define FILE_REGEX 17 | |
#define FILE_BESTRING16 18 | |
#define FILE_LESTRING16 19 | |
#define FILE_SEARCH 20 | |
#define FILE_MEDATE 21 | |
#define FILE_MELDATE 22 | |
#define FILE_MELONG 23 | |
#define FILE_QUAD 24 | |
#define FILE_LEQUAD 25 | |
#define FILE_BEQUAD 26 | |
#define FILE_QDATE 27 | |
#define FILE_LEQDATE 28 | |
#define FILE_BEQDATE 29 | |
#define FILE_QLDATE 30 | |
#define FILE_LEQLDATE 31 | |
#define FILE_BEQLDATE 32 | |
#define FILE_FLOAT 33 | |
#define FILE_BEFLOAT 34 | |
#define FILE_LEFLOAT 35 | |
#define FILE_DOUBLE 36 | |
#define FILE_BEDOUBLE 37 | |
#define FILE_LEDOUBLE 38 | |
#define FILE_BEID3 39 | |
#define FILE_LEID3 40 | |
#define FILE_INDIRECT 41 | |
#define FILE_QWDATE 42 | |
#define FILE_LEQWDATE 43 | |
#define FILE_BEQWDATE 44 | |
#define FILE_NAME 45 | |
#define FILE_USE 46 | |
#define FILE_CLEAR 47 | |
#define FILE_DER 48 | |
#define FILE_GUID 49 | |
#define FILE_OFFSET 50 | |
#define FILE_BEVARINT 51 | |
#define FILE_LEVARINT 52 | |
#define FILE_NAMES_SIZE 53 /* size of array to contain all names */ | |
#define IS_STRING(t) \ | |
((t) == FILE_STRING || \ | |
(t) == FILE_PSTRING || \ | |
(t) == FILE_BESTRING16 || \ | |
(t) == FILE_LESTRING16 || \ | |
(t) == FILE_REGEX || \ | |
(t) == FILE_SEARCH || \ | |
(t) == FILE_INDIRECT || \ | |
(t) == FILE_NAME || \ | |
(t) == FILE_USE) | |
#define FILE_FMT_NONE 0 | |
#define FILE_FMT_NUM 1 /* "cduxXi" */ | |
#define FILE_FMT_STR 2 /* "s" */ | |
#define FILE_FMT_QUAD 3 /* "ll" */ | |
#define FILE_FMT_FLOAT 4 /* "eEfFgG" */ | |
#define FILE_FMT_DOUBLE 5 /* "eEfFgG" */ | |
/* Word 3 */ | |
uint8_t in_op; /* operator for indirection */ | |
uint8_t mask_op; /* operator for mask */ | |
#ifdef ENABLE_CONDITIONALS | |
uint8_t cond; /* conditional type */ | |
#else | |
uint8_t dummy; | |
#endif | |
uint8_t factor_op; | |
#define FILE_FACTOR_OP_PLUS '+' | |
#define FILE_FACTOR_OP_MINUS '-' | |
#define FILE_FACTOR_OP_TIMES '*' | |
#define FILE_FACTOR_OP_DIV '/' | |
#define FILE_FACTOR_OP_NONE '\0' | |
#define FILE_OPS "&|^+-*/%" | |
#define FILE_OPAND 0 | |
#define FILE_OPOR 1 | |
#define FILE_OPXOR 2 | |
#define FILE_OPADD 3 | |
#define FILE_OPMINUS 4 | |
#define FILE_OPMULTIPLY 5 | |
#define FILE_OPDIVIDE 6 | |
#define FILE_OPMODULO 7 | |
#define FILE_OPS_MASK 0x07 /* mask for above ops */ | |
#define FILE_UNUSED_1 0x08 | |
#define FILE_UNUSED_2 0x10 | |
#define FILE_OPSIGNED 0x20 | |
#define FILE_OPINVERSE 0x40 | |
#define FILE_OPINDIRECT 0x80 | |
#ifdef ENABLE_CONDITIONALS | |
#define COND_NONE 0 | |
#define COND_IF 1 | |
#define COND_ELIF 2 | |
#define COND_ELSE 3 | |
#endif /* ENABLE_CONDITIONALS */ | |
/* Word 4 */ | |
int32_t offset; /* offset to magic number */ | |
/* Word 5 */ | |
int32_t in_offset; /* offset from indirection */ | |
/* Word 6 */ | |
uint32_t lineno; /* line number in magic file */ | |
/* Word 7,8 */ | |
union { | |
uint64_t _mask; /* for use with numeric and date types */ | |
struct { | |
uint32_t _count; /* repeat/line count */ | |
uint32_t _flags; /* modifier flags */ | |
} _s; /* for use with string types */ | |
} _u; | |
#define num_mask _u._mask | |
#define str_range _u._s._count | |
#define str_flags _u._s._flags | |
/* Words 9-24 */ | |
union VALUETYPE value; /* either number or string */ | |
/* Words 25-40 */ | |
char desc[MAXDESC]; /* description */ | |
/* Words 41-60 */ | |
char mimetype[MAXMIME]; /* MIME type */ | |
/* Words 61-62 */ | |
char apple[8]; /* APPLE CREATOR/TYPE */ | |
/* Words 63-78 */ | |
char ext[64]; /* Popular extensions */ | |
}; | |
int main(){ | |
char flag[1000],flag_index[1000]; | |
FILE *fp = fopen("./flag.mgc","rb"); | |
struct magic buffer[100]; | |
fseek(fp,0x178,SEEK_SET); | |
fread(buffer,sizeof(struct magic),0x42,fp); | |
int xor_val = 0; | |
for(int i=0;i<0x42;i++){ | |
//printf ("% d\n",buffer [i].mask_op);// 输出全是 2, 对照 mask_op, 可知是异或操作 | |
if(buffer[i].mask_op){ | |
xor_val = buffer[i]._u._mask&0xff; | |
} | |
else{ | |
xor_val = 0; | |
} | |
switch(buffer[i].type){ | |
case FILE_BYTE: | |
//printf("8%c\n",buffer[i].value.b); | |
flag[flag_index[buffer[i].offset]] = buffer[i].value.b^xor_val; | |
break; | |
case FILE_SHORT: | |
case FILE_BESHORT: | |
case FILE_LESHORT: | |
//printf("16%c\n",buffer[i].value.h); | |
flag_index[buffer[i].offset] = buffer[i].value.h^xor_val; | |
break; | |
case FILE_DATE: | |
case FILE_BEDATE: | |
case FILE_LEDATE: | |
case FILE_MEDATE: | |
case FILE_LDATE: | |
case FILE_BELDATE: | |
case FILE_LELDATE: | |
case FILE_MELDATE: | |
case FILE_LONG: | |
case FILE_BELONG: | |
case FILE_LELONG: | |
case FILE_MELONG: | |
case FILE_FLOAT: | |
case FILE_BEFLOAT: | |
case FILE_LEFLOAT: | |
printf("32%c",buffer[i].value.l); | |
break; | |
case FILE_QUAD: | |
case FILE_BEQUAD: | |
case FILE_LEQUAD: | |
case FILE_QDATE: | |
case FILE_QLDATE: | |
case FILE_QWDATE: | |
case FILE_BEQDATE: | |
case FILE_BEQLDATE: | |
case FILE_BEQWDATE: | |
case FILE_LEQDATE: | |
case FILE_LEQLDATE: | |
case FILE_LEQWDATE: | |
case FILE_DOUBLE: | |
case FILE_BEDOUBLE: | |
case FILE_LEDOUBLE: | |
case FILE_OFFSET: | |
case FILE_BEVARINT: | |
case FILE_LEVARINT: | |
printf("%c",buffer[i].value.q); | |
break; | |
case FILE_STRING: | |
case FILE_PSTRING: | |
case FILE_BESTRING16: | |
case FILE_LESTRING16: | |
case FILE_REGEX: | |
case FILE_SEARCH: | |
case FILE_DEFAULT: | |
case FILE_INDIRECT: | |
case FILE_NAME: | |
case FILE_USE: | |
case FILE_CLEAR: | |
case FILE_DER: | |
case FILE_GUID: | |
//printf("%s\n",buffer[i].value.s); | |
for(int k=0;k<buffer[i].vallen;k++){ | |
flag[k+buffer[i].offset] = buffer[i].value.s[k]; | |
} | |
break; | |
default: | |
break; | |
} | |
} | |
int len=0; | |
for(int i=0;i<100;i++){ | |
printf("%c",flag[i]); | |
//flag{_oh_yes_you_got_the_flag___^_^__} | |
} | |
} |
# ez_code
打开题目看到 % , $ 等符号,猜测这是 ps1 的混淆
后缀改成 ps1 运行一下,果然是有输出的
看了一下好像是用 lodan 来混淆的
这篇文章讲的挺好的 https://bbs.kanxue.com/thread-271570.htm, 在 powershell 中, $ 便可以去表示一个变量
+$() 等价于 0, $(@{}) 会得到 System.Collections.Hashtable
对于解释型语言比如 js , python , ps 等等,要是逆向看到这些类型,不论混淆成啥样,把代码扣下来,加个 console.log , print , echo 跑一下,想要知道的变量就全知道了
这题我们就可以用 echo 打印出感兴趣的变量,我们注意到了 iex , [CHar] , 这些在 powershell 中是很重要的存在
随后我们便可以打开 sublime 然后全局替换一下这些奇奇怪怪的特殊符号
把 [CHar] 替换成空字符串,+ 号换成空格,然后丢到厨子里面
得到 ps1 脚本,一眼 xxtea
class chiper(): | |
def __init__(self): | |
self.d = 0x87654321 | |
k0 = 0x67452301 | |
k1 = 0xefcdab89 | |
k2 = 0x98badcfe | |
k3 = 0x10325476 | |
self.k = [k0, k1, k2, k3] | |
def e(self, n, v): | |
from ctypes import c_uint32 | |
def MX(z, y, total, key, p, e): | |
temp1 = (z.value >> 6 ^ y.value << 4) + \ | |
(y.value >> 2 ^ z.value << 5) | |
temp2 = (total.value ^ y.value) + \ | |
(key[(p & 3) ^ e.value] ^ z.value) | |
return c_uint32(temp1 ^ temp2) | |
key = self.k | |
delta = self.d | |
rounds = 6 + 52//n | |
total = c_uint32(0) | |
z = c_uint32(v[n-1]) | |
e = c_uint32(0) | |
while rounds > 0: | |
total.value += delta | |
e.value = (total.value >> 2) & 3 | |
for p in range(n-1): | |
y = c_uint32(v[p+1]) | |
v[p] = c_uint32(v[p] + MX(z, y, total, key, p, e).value).value | |
z.value = v[p] | |
y = c_uint32(v[0]) | |
v[n-1] = c_uint32(v[n-1] + MX(z, y, total, | |
key, n-1, e).value).value | |
z.value = v[n-1] | |
rounds -= 1 | |
return v | |
def bytes2ints(self,cs:bytes)->list: | |
new_length=len(cs)+(8-len(cs)%8)%8 | |
barray=cs.ljust(new_length,b'\x00') | |
i=0 | |
v=[] | |
while i < new_length: | |
v0 = int.from_bytes(barray[i:i+4], 'little') | |
v1 = int.from_bytes(barray[i+4:i+8], 'little') | |
v.append(v0) | |
v.append(v1) | |
i += 8 | |
return v | |
def check(instr:str,checklist:list)->int: | |
length=len(instr) | |
if length%8: | |
print("Incorrect format.") | |
exit(1) | |
c=chiper() | |
v = c.bytes2ints(instr.encode()) | |
output=list(c.e(len(v),v)) | |
i=0 | |
while(i<len(checklist)): | |
if i<len(output) and output[i]==checklist[i]: | |
i+=1 | |
else: | |
break | |
if i==len(checklist): | |
return 1 | |
return 0 | |
if __name__=="__main__": | |
ans=[1374278842, 2136006540, 4191056815, 3248881376] | |
# generateRes() | |
flag=input('Please input flag:') | |
res=check(flag,ans) | |
if res: | |
print("Congratulations, you've got the flag!") | |
print("Flag is *ctf{your_input}!") | |
exit(0) | |
else: | |
print('Nope,try again!')unction _/==/=__=_{ | |
[CmdletBinding()] param( | |
[Parameter(Position = 0)] | |
[String] | |
$param1 | |
) | |
$result = [Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($param1)) | |
return $result | |
} | |
Function _\/_\_={ | |
[CmdletBinding()] param( | |
[Parameter(Position = 0)] | |
[String] | |
$param1 | |
) | |
$param1 = _/==/=__=_ -param1 $param1 | |
$result = [Text.Encoding]::UTF8.GetString([Convert]::FromBase64String($param1)) | |
$result | out-null | |
} | |
_\/_\_= ("S21OMFpudG9hR2hmY0hkemFGOXBjMTlsWVhONVgzSnBaMmgwUDMwPQ==") | |
echo "Do you konw PWSH?" |
太 easy 了,exp 如下
from ctypes import * | |
def MX(z, y, total, key, p, e): | |
temp1 = (z.value >> 6 ^ y.value << 4) + \ | |
(y.value >> 2 ^ z.value << 5) | |
temp2 = (total.value ^ y.value) + \ | |
(key[(p & 3) ^ e.value] ^ z.value) | |
return c_uint32(temp1 ^ temp2) | |
def encrypt(n, v, key): | |
delta = 0x87654321 | |
rounds = 6 + 52 // n | |
total = c_uint32(0) | |
z = c_uint32(v[n - 1]) | |
e = c_uint32(0) | |
while rounds > 0: | |
total.value += delta | |
e.value = (total.value >> 2) & 3 | |
for p in range(n - 1): | |
y = c_uint32(v[p + 1]) | |
v[p] = c_uint32(v[p] + MX(z, y, total, key, p, e).value).value | |
z.value = v[p] | |
y = c_uint32(v[0]) | |
v[n - 1] = c_uint32(v[n - 1] + MX(z, y, total, key, n - 1, e).value).value | |
z.value = v[n - 1] | |
rounds -= 1 | |
return v | |
def decrypt(n, v, key): | |
delta = 0x87654321 | |
rounds = 6 + 52 // n | |
total = c_uint32(rounds * delta) | |
y = c_uint32(v[0]) | |
e = c_uint32(0) | |
while rounds > 0: | |
e.value = (total.value >> 2) & 3 | |
for p in range(n - 1, 0, -1): | |
z = c_uint32(v[p - 1]) | |
v[p] = c_uint32((v[p] - MX(z, y, total, key, p, e).value)).value | |
y.value = v[p] | |
z = c_uint32(v[n - 1]) | |
v[0] = c_uint32(v[0] - MX(z, y, total, key, 0, e).value).value | |
y.value = v[0] | |
total.value -= delta | |
rounds -= 1 | |
return v | |
# test | |
if __name__ == "__main__": | |
# 该算法中每次可加密不只 64bit 的数据,并且加密的轮数由加密数据长度决定 | |
v = [1374278842, 2136006540, 4191056815, 3248881376] | |
k = [0x67452301, 0xefcdab89, 0x98badcfe, 0x10325476] | |
n = 4 | |
res = decrypt(n, v, k) | |
flag = b'' | |
for i in res: | |
flag += i.to_bytes(4, 'little') | |
print(flag) # yOUar3g0oD@tPw5H |
# boring cipher
ida 动调一下,断点打在这里
上面 obfstr::xref::inner::h7a99f28656c7fd53 是 github 上的开源代码,作用是混淆字符串
还有个文件读取的函数 std::fs::read::inner::hb6a137b36c73a8b4 , 它读取的是 /proc/self/exe , 那么上面的混淆字符串应该就是为了这个文件读取来做掩护的,而这个文件就是题目的这个文件,这也说明了为什么 output 的大小和程序本身的大小是一样的
面对复杂的加密,从正向开始入手绝对是一个明智的选择
import math | |
import numpy as np | |
_arr = [0x0000002A, 0x0000005B, 0x0000007E, 0x000000C1, 0x000000DC, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000002A, 0x0000002C, 0x00000059, | |
0x0000006F, 0x00000078, 0x0000008E, 0x000000BD, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000001, 0x00000004, 0x0000000E, 0x00000088, 0x0000008B, 0x000000B4, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000038, 0x000000A6, 0x000000AE, 0x000000C3, 0x000000E3, 0x000000E8, 0x000000FF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000013, 0x00000016, 0x00000058, | |
0x0000005D, 0x00000078, 0x000000AE, 0x000000BB, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000005B, 0x00000089, 0x0000009D, 0x000000B7, 0x000000C5, 0x000000C6, | |
0x000000F9, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000002, 0x00000016, 0x00000020, 0x00000047, 0x0000008F, 0x00000098, 0x000000CC, 0x000000DF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000015, 0x00000070, 0x000000A8, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000062, 0x00000068, 0x000000C2, 0x000000EA, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x0000000A, 0x0000000D, 0x0000002F, 0x00000044, 0x00000057, 0x0000007F, 0x000000DB, 0x000000E3, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000000B, 0x00000018, 0x00000059, | |
0x00000086, 0x000000DD, 0x000000FF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000001C, 0x00000031, 0x0000003D, 0x00000040, 0x00000097, 0x0000009D, | |
0x0000009E, 0x000000A1, 0x000000C7, 0x000000CD, 0x000000E2, 0x000000F8, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x0000000A, 0x00000020, 0x00000025, 0x00000035, 0x00000044, 0x00000055, 0x00000072, 0x000000CB, 0x000000DA, | |
0x000000DD, 0x000000ED, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000044, 0x00000052, 0x00000085, | |
0x00000093, 0x000000B4, 0x000000CB, 0x000000E3, 0x000000F0, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000052, 0x00000059, 0x000000A2, 0x000000BE, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x0000002D, 0x00000055, 0x0000005B, 0x00000084, 0x000000C4, 0x000000D6, 0x000000E1, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000013, 0x00000037, 0x00000041, | |
0x00000051, 0x00000053, 0x00000075, 0x00000076, 0x000000EA, 0x000000EF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000000F, 0x00000040, 0x0000006B, 0x0000009C, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000005, 0x00000011, 0x00000014, 0x00000017, 0x00000021, 0x00000058, 0x00000061, 0x0000006A, 0x00000083, | |
0x000000D6, 0x000000E1, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000022, 0x00000026, 0x00000090, | |
0x000000EC, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000006B, 0x0000006C, 0x00000086, 0x0000008C, 0x00000093, 0x000000F7, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000010, 0x00000013, 0x0000007C, 0x000000C0, 0x000000CB, 0x000000F3, 0x000000F6, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000027, 0x0000007C, 0x0000007F, | |
0x00000083, 0x00000086, 0x000000D9, 0x000000DB, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000030, 0x00000032, 0x0000006D, 0x00000081, 0x000000BF, 0x000000ED, | |
0x000000FA, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000015, 0x00000022, 0x00000030, 0x00000032, 0x00000036, 0x0000005C, 0x000000D3, 0x000000EC, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000003, 0x00000004, 0x00000009, | |
0x00000014, 0x00000080, 0x0000008E, 0x00000098, 0x000000FC, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000001F, 0x00000064, 0x000000B6, 0x000000C4, 0x000000DD, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000042, 0x00000056, 0x0000008E, 0x000000AF, 0x000000DD, 0x000000EF, 0x000000FD, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000032, 0x00000045, 0x0000004E, | |
0x0000006D, 0x00000075, 0x0000008F, 0x000000C8, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000018, 0x0000005A, 0x0000005F, 0x0000006B, 0x00000096, 0x000000DB, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x0000000C, 0x0000006A, 0x000000CF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000002, 0x0000003F, 0x00000065, | |
0x000000C2, 0x000000EF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000004F, 0x00000050, 0x00000063, 0x000000C3, 0x000000CB, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000000, 0x0000009B, 0x000000BC, 0x000000EE, 0x000000FF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000004, 0x00000023, 0x0000003E, | |
0x00000042, 0x00000078, 0x000000D4, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000015, 0x00000033, 0x00000036, 0x00000046, 0x0000007A, 0x00000083, | |
0x000000B2, 0x000000BE, 0x000000FC, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x0000006E, 0x000000A5, 0x000000A6, 0x000000A7, 0x000000A9, 0x000000B7, 0x000000D2, 0x000000E5, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000003, 0x00000017, 0x0000004F, | |
0x00000050, 0x00000062, 0x0000007E, 0x00000091, 0x00000097, 0x000000B1, 0x000000E4, 0x000000E9, 0x000000EC, | |
0x000000FD, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000051, 0x00000057, 0x0000005E, 0x000000B3, 0x000000DC, 0x000000F1, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000002, 0x0000000C, 0x0000004B, 0x0000005A, 0x0000008D, 0x00000095, 0x000000B8, 0x000000DB, 0x000000EF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000019, 0x0000008B, 0x000000D8, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000001A, 0x0000006A, 0x0000007B, 0x000000B0, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x0000005E, 0x0000006B, 0x000000AB, 0x000000AF, 0x000000F5, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000001B, 0x00000058, 0x0000008C, | |
0x00000096, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000050, 0x000000B5, 0x000000E5, 0x000000FD, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000001, 0x00000007, 0x00000052, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000001D, 0x0000006D, 0x0000006F, | |
0x0000007C, 0x0000009F, 0x000000B7, 0x000000BE, 0x000000D4, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000027, 0x0000002B, 0x00000075, 0x00000089, 0x000000A3, 0x000000D0, | |
0x000000D4, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x0000002E, 0x000000CD, 0x000000F4, 0x000000FE, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000000C, 0x00000012, 0x00000042, | |
0x00000070, 0x00000075, 0x00000079, 0x00000097, 0x00000099, 0x000000BF, 0x000000CE, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000015, 0x0000007D, 0x00000088, 0x000000A3, 0x000000B8, 0x000000C9, | |
0x000000F1, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x0000001A, 0x0000001E, 0x00000052, 0x00000086, 0x000000AE, 0x000000D7, 0x000000E9, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000000D, 0x000000AD, 0x000000AF, | |
0x000000C0, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000008, 0x0000004D, 0x0000006C, 0x00000074, 0x00000076, 0x0000007A, | |
0x000000A9, 0x000000AE, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000000, 0x0000000C, 0x00000017, 0x0000001E, 0x00000024, 0x00000027, 0x00000064, 0x00000067, 0x000000CC, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000003, 0x0000003D, 0x00000084, | |
0x00000085, 0x000000CD, 0x000000EB, 0x000000F8, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000057, 0x00000084, 0x0000008A, 0x000000B6, 0x000000CD, 0x000000E9, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000002, 0x00000021, 0x0000002E, 0x0000003B, 0x00000073, 0x00000074, 0x000000A0, 0x000000E1, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000021, 0x00000033, 0x00000037, | |
0x00000067, 0x00000072, 0x000000A1, 0x000000CA, 0x000000E1, 0x000000FB, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000023, 0x00000038, 0x00000047, 0x00000048, 0x0000004B, 0x0000004C, | |
0x00000057, 0x00000059, 0x00000069, 0x00000090, 0x000000A0, 0x000000BA, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000031, 0x00000035, 0x0000003C, 0x00000093, 0x000000A1, 0x000000DE, 0x000000EE, 0x000000FD, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000003, 0x00000066, 0x0000008C, | |
0x00000091, 0x00000094, 0x000000A0, 0x000000B0, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000040, 0x0000007A, 0x00000096, 0x000000A4, 0x000000E0, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000030, 0x0000003D, 0x0000005A, 0x0000006C, 0x00000080, 0x000000E6, 0x000000ED, 0x000000F2, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000004, 0x00000019, 0x00000082, | |
0x00000088, 0x00000090, 0x00000094, 0x000000AC, 0x000000F9, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000022, 0x00000028, 0x0000003C, 0x0000006E, 0x00000079, 0x0000007E, | |
0x0000008E, 0x00000091, 0x00000099, 0x0000009D, 0x000000A0, 0x000000CC, 0x000000EC, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000008, 0x00000033, 0x00000082, 0x0000008C, 0x00000090, 0x000000AA, 0x000000BC, 0x000000F8, 0x000000FE, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000017, 0x00000049, 0x00000093, | |
0x000000C7, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000019, 0x00000047, 0x0000005B, 0x00000060, 0x00000065, 0x000000BD, | |
0x000000F2, 0x000000F5, 0x000000F6, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000020, 0x0000002B, 0x00000031, 0x00000047, 0x00000048, 0x00000051, 0x00000054, 0x00000064, 0x00000078, | |
0x000000A1, 0x000000A5, 0x000000B4, 0x000000C8, 0x000000EE, 0x000000FE, 0x00000005, 0x00000011, 0x0000004A, | |
0x0000005D, 0x00000076, 0x00000077, 0x000000FE, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000008, 0x0000006D, 0x0000009A, 0x000000A3, 0x000000CE, 0x000000DC, | |
0x000000E0, 0x000000E4, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000013, 0x0000001D, 0x0000003A, 0x00000046, 0x00000098, 0x0000009C, 0x000000E7, 0x000000F3, 0x000000F5, | |
0x000000F8, 0x000000FC, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000001E, 0x00000034, 0x0000003B, | |
0x00000046, 0x00000079, 0x000000A7, 0x000000B0, 0x000000C4, 0x000000E0, 0x000000E7, 0x000000F6, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000070, 0x00000087, 0x00000097, 0x0000009E, 0x000000A6, 0x000000FB, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x0000001C, 0x00000021, 0x0000002B, 0x00000039, 0x0000004A, 0x0000006C, 0x00000081, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000006, 0x00000041, 0x00000064, | |
0x0000007F, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000020, 0x00000022, 0x0000005C, 0x000000B0, 0x000000B6, 0x000000B9, | |
0x000000C2, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000014, 0x0000001E, 0x00000079, 0x00000092, 0x00000096, 0x000000BC, 0x000000C7, 0x000000DA, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000016, 0x00000046, 0x0000007D, | |
0x00000089, 0x000000D5, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000043, 0x0000004C, 0x0000006A, 0x0000007D, 0x0000007F, 0x0000008D, | |
0x000000C2, 0x000000F2, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000029, 0x00000045, 0x00000051, 0x00000069, 0x00000091, 0x000000B6, 0x000000EA, 0x000000F5, 0x000000FF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000011, 0x00000036, 0x00000038, | |
0x00000040, 0x0000005C, 0x00000099, 0x000000D1, 0x000000E9, 0x000000EE, 0x000000F9, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000004B, 0x00000058, 0x00000071, 0x00000084, 0x000000C6, 0x000000F3, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF] | |
arr = np.zeros((4, 21, 15)) | |
for m in range(4): | |
for n in range(21): | |
for p in range(15): | |
arr[m][n][p] = _arr[(21 * m + n) * 15 + p] | |
arr = np.array(_arr).reshape((4, 21, 15)) | |
round = 0 | |
S = list(range(256)) | |
flag = [0x3132333435360a00, 0, 0, 0]# 向程序输入 123456, 动调 dump 出的 flag 的值 | |
for round in range(4): | |
order = list(range(21)) | |
n = 20 | |
bignum = math.factorial(n) # 20 的阶乘,即 0x21C3677C82B40000 | |
index = 0 | |
while n: | |
quot = index + flag[round] // bignum | |
flag[round] %= bignum | |
order[quot], order[index] = order[index], order[quot] | |
bignum //= n | |
index += 1 | |
n -= 1 | |
for i in range(21): | |
for j in range(15): | |
if arr[round][order[i]][j] != 0xFFFFFFFF: | |
S[int(arr[round][order[i]][j])] += i | |
with open('../cipher-release', 'rb') as f: | |
src = f.read() | |
src = list(src) | |
with open('output', 'rb') as f:#以 123456 作为输入得到的 output 文件 | |
final = f.read() | |
final = list(final) | |
for i in range(256): | |
assert (S[i] & 0xff == final[src.index(i)]) |
乍一看似乎没有可逆的点,这 shuffle 数据混洗的这么严重要怎么逆向?
但是想想面对难以逆向的算法,那么这个算法必定在密码学上是有漏洞存在的,否则真就没人做得出来了
这里需要注意 arr 这个超大的常数数组,这个数组的唯一会改变 S 盒的值的变量,但是当 arr 的值等于 0xFFFFFFFF 时,是不会对 S盒 中数据的值做出更改的,并且我们看一下赋值语句 S[int(arr[round][order[i]][j])] += i , arr 的值会让 S 盒对应位置上的值 +i
如果 S 盒上同一位置的值连续加两次,那么我们肯定是不知道这两次分别加了哪两个数
但是,要是 S 盒上同一位置的值只加一次呢?最终的值和开始的值减一减,不就知道 +i 加的数什么了吗
我们写个小脚本看看 arr 中有多少数字只出现过一次
_arr=[...]# 数组太大我就省略啦,值和上面的是一样的 | |
dict = {} | |
for key in _arr: | |
if key==0xffffffff: | |
key = "0x-1" | |
else: | |
key = "0x"+hex(key)[2::].zfill(2) | |
dict[key] = dict.get(key, 0) + 1 | |
print(dict) |
输出为
{'0x2a': 2, '0x5b': 4, '0x7e': 3, '0xc1': 1, '0xdc': 3, '0x-1': 663, '0x2c': 1, '0x59': 4, '0x6f': 2, '0x78': 4, '0x8e': 4, '0xbd': 2, '0x01': 2, '0x04': 4, '0x0e': 1, '0x88': 3, '0x8b': 2, '0xb4': 3, '0x38': 3, '0xa6': 3, '0xae': 4, '0xc3': 2, '0xe3': 3, '0xe8': 1, '0xff': 4, '0x13': 4, '0x16': 3, '0x58': 4, '0x5d': 2, '0xbb': 1, '0x89': 3, '0x9d': 3, '0xb7': 3, '0xc5': 1, '0xc6': 2, '0xf9': 3, '0x02': 4, '0x20': 4, '0x47': 4, '0x8f': 2, '0x98': 3, '0xcc': 3, '0xdf': 1, '0x15': 4, '0x70': 3, '0xa8': 1, '0x62': 2, '0x68': 1, '0xc2': 4, '0xea': 3, '0x0a': 2, '0x0d': 2, '0x2f': 1, '0x44': 3, '0x57': 4, '0x7f': 4, '0xdb': 4, '0x0b': 1, '0x18': 2, '0x86': 4, '0xdd': 4, '0x1c': 2, '0x31': 3, '0x3d': 3, '0x40': 4, '0x97': 4, '0x9e': 2, '0xa1': 4, '0xc7': 3, '0xcd': 4, '0xe2': 1, '0xf8': 4, '0x25': 1, '0x35': 2, '0x55': 2, '0x72': 2, '0xcb': 4, '0xda': 2, '0xed': 3, '0x52': 4, '0x85': 2, '0x93': 4, '0xf0': 1, '0xa2': 1, '0xbe': 3, '0x2d': 1, '0x84': 4, '0xc4': 3, '0xd6': 2, '0xe1': 4, '0x37': 2, '0x41': 2, '0x51': 4, '0x53': 1, '0x75': 4, '0x76': 3, '0xef': 4, '0x0f': 1, '0x6b': 4, '0x9c': 2, '0x05': 2, '0x11': 3, '0x14': 3, '0x17': 4, '0x21': 4, '0x61': 1, '0x6a': 4, '0x83': 3, '0x22': 4, '0x26': 1, '0x90': 4, '0xec': 4, '0x6c': 4, '0x8c': 4, '0xf7': 1, '0x10': 1, '0x7c': 3, '0xc0': 2, '0xf3': 3, '0xf6': 3, '0x27': 3, '0xd9': 1, '0x30': 3, '0x32': 3, '0x6d': 4, '0x81': 2, '0xbf': 2, '0xfa': 1, '0x36': 3, '0x5c': 3, '0xd3': 1, '0x03': 4, '0x09': 1, '0x80': 2, '0xfc': 3, '0x1f': 1, '0x64': 4, '0xb6': 4, '0x42': 3, '0x56': 1, '0xaf': 3, '0xfd': 4, '0x45': 2, '0x4e': 1, '0xc8': 2, '0x5a': 3, '0x5f': 1, '0x96': 4, '0x0c': 4, '0xcf': 1, '0x3f': 1, '0x65': 2, '0x4f': 2, '0x50': 3, '0x63': 1, '0x00': 2, '0x9b': 1, '0xbc': 3, '0xee': 4, '0x23': 2, '0x3e': 1, '0xd4': 3, '0x33': 3, '0x46': 4, '0x7a': 3, '0xb2': 1, '0x6e': 2, '0xa5': 2, '0xa7': 2, '0xa9': 2, '0xd2': 1, '0xe5': 2, '0x91': 4, '0xb1': 1, '0xe4': 2, '0xe9': 4, '0x5e': 2, '0xb3': 1, '0xf1': 2, '0x4b': 3, '0x8d': 2, '0x95': 1, '0xb8': 2, '0x19': 3, '0xd8': 1, '0x1a': 2, '0x7b': 1, '0xb0': 4, '0xab': 1, '0xf5': 4, '0x1b': 1, '0xb5': 1, '0x07': 1, '0x1d': 2, '0x9f': 1, '0x2b': 3, '0xa3': 3, '0xd0': 1, '0x2e': 2, '0xf4': 1, '0xfe': 4, '0x12': 1, '0x79': 4, '0x99': 3, '0xce': 2, '0x7d': 3, '0xc9': 1, '0x1e': 4, '0xd7': 1, '0xad': 1, '0x08': 3, '0x4d': 1, '0x74': 2, '0x24': 1, '0x67': 2, '0xeb': 1, '0x8a': 1, '0x3b': 2, '0x73': 1, '0xa0': 4, '0xca': 1, '0xfb': 2, '0x48': 2, '0x4c': 2, '0x69': 2, '0xba': 1, '0x3c': 2, '0xde': 1, '0x66': 1, '0x94': 2, '0xa4': 1, '0xe0': 3, '0xe6': 1, '0xf2': 3, '0x82': 2, '0xac': 1, '0x28': 1, '0xaa': 1, '0x49': 1, '0x60': 1, '0x54': 1, '0x4a': 2, '0x77': 1, '0x9a': 1, '0x3a': 1, '0xe7': 2, '0x34': 1, '0x87': 1, '0x39': 1, '0x06': 1, '0xb9': 1, '0x92': 1, '0xd5': 1, '0x43': 1, '0x29': 1, '0xd1': 1, '0x71': 1} |
知道了加的数是什么有什么用?这作用可大了!
通过知道加了什么数,在辅以 S 盒的对应位置信息,就可以计算出经过 shuffle 操作之后的 order 序列顺序
arr = np.array(_arr).reshape((4, 21, 15)) | |
S = list(range(256)) | |
with open('./cipher-release', 'rb') as f: | |
src = f.read() | |
src = list(src) | |
with open('output', 'rb') as f: | |
final = f.read() | |
final = list(final) | |
key = [[-1 for order in range(21)] for round in range(4)] | |
for i in range(256): | |
S[i] = final[src.index(i)] | |
if len(np.argwhere(arr == i)) == 1: | |
round, order_i, j = list(np.argwhere(arr == i)[0]) | |
key[round][S[i] - i] = order_i |
随后通过 order 序列,就可以逆向推出最开始输入的长为 64 位的数值究竟是多少,由此便可以推出 flag 来啦~
for round in range(4): | |
order = key[round] | |
seed = 0 | |
pre_order = list(range(21)) | |
for i in range(21): | |
j = pre_order.index(order[i]) | |
pre_order[i], pre_order[j] = pre_order[j], pre_order[i] | |
seed += math.factorial(20 - i) * (j - i) |
于是 exp 如下,做完这题虽然备受折磨,但着实有中柳暗花明又一村的感觉
import math | |
import numpy as np | |
_arr = [0x0000002A, 0x0000005B, 0x0000007E, 0x000000C1, 0x000000DC, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000002A, 0x0000002C, 0x00000059, | |
0x0000006F, 0x00000078, 0x0000008E, 0x000000BD, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000001, 0x00000004, 0x0000000E, 0x00000088, 0x0000008B, 0x000000B4, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000038, 0x000000A6, 0x000000AE, 0x000000C3, 0x000000E3, 0x000000E8, 0x000000FF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000013, 0x00000016, 0x00000058, | |
0x0000005D, 0x00000078, 0x000000AE, 0x000000BB, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000005B, 0x00000089, 0x0000009D, 0x000000B7, 0x000000C5, 0x000000C6, | |
0x000000F9, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000002, 0x00000016, 0x00000020, 0x00000047, 0x0000008F, 0x00000098, 0x000000CC, 0x000000DF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000015, 0x00000070, 0x000000A8, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000062, 0x00000068, 0x000000C2, 0x000000EA, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x0000000A, 0x0000000D, 0x0000002F, 0x00000044, 0x00000057, 0x0000007F, 0x000000DB, 0x000000E3, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000000B, 0x00000018, 0x00000059, | |
0x00000086, 0x000000DD, 0x000000FF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000001C, 0x00000031, 0x0000003D, 0x00000040, 0x00000097, 0x0000009D, | |
0x0000009E, 0x000000A1, 0x000000C7, 0x000000CD, 0x000000E2, 0x000000F8, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x0000000A, 0x00000020, 0x00000025, 0x00000035, 0x00000044, 0x00000055, 0x00000072, 0x000000CB, 0x000000DA, | |
0x000000DD, 0x000000ED, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000044, 0x00000052, 0x00000085, | |
0x00000093, 0x000000B4, 0x000000CB, 0x000000E3, 0x000000F0, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000052, 0x00000059, 0x000000A2, 0x000000BE, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x0000002D, 0x00000055, 0x0000005B, 0x00000084, 0x000000C4, 0x000000D6, 0x000000E1, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000013, 0x00000037, 0x00000041, | |
0x00000051, 0x00000053, 0x00000075, 0x00000076, 0x000000EA, 0x000000EF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000000F, 0x00000040, 0x0000006B, 0x0000009C, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000005, 0x00000011, 0x00000014, 0x00000017, 0x00000021, 0x00000058, 0x00000061, 0x0000006A, 0x00000083, | |
0x000000D6, 0x000000E1, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000022, 0x00000026, 0x00000090, | |
0x000000EC, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000006B, 0x0000006C, 0x00000086, 0x0000008C, 0x00000093, 0x000000F7, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000010, 0x00000013, 0x0000007C, 0x000000C0, 0x000000CB, 0x000000F3, 0x000000F6, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000027, 0x0000007C, 0x0000007F, | |
0x00000083, 0x00000086, 0x000000D9, 0x000000DB, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000030, 0x00000032, 0x0000006D, 0x00000081, 0x000000BF, 0x000000ED, | |
0x000000FA, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000015, 0x00000022, 0x00000030, 0x00000032, 0x00000036, 0x0000005C, 0x000000D3, 0x000000EC, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000003, 0x00000004, 0x00000009, | |
0x00000014, 0x00000080, 0x0000008E, 0x00000098, 0x000000FC, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000001F, 0x00000064, 0x000000B6, 0x000000C4, 0x000000DD, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000042, 0x00000056, 0x0000008E, 0x000000AF, 0x000000DD, 0x000000EF, 0x000000FD, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000032, 0x00000045, 0x0000004E, | |
0x0000006D, 0x00000075, 0x0000008F, 0x000000C8, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000018, 0x0000005A, 0x0000005F, 0x0000006B, 0x00000096, 0x000000DB, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x0000000C, 0x0000006A, 0x000000CF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000002, 0x0000003F, 0x00000065, | |
0x000000C2, 0x000000EF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000004F, 0x00000050, 0x00000063, 0x000000C3, 0x000000CB, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000000, 0x0000009B, 0x000000BC, 0x000000EE, 0x000000FF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000004, 0x00000023, 0x0000003E, | |
0x00000042, 0x00000078, 0x000000D4, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000015, 0x00000033, 0x00000036, 0x00000046, 0x0000007A, 0x00000083, | |
0x000000B2, 0x000000BE, 0x000000FC, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x0000006E, 0x000000A5, 0x000000A6, 0x000000A7, 0x000000A9, 0x000000B7, 0x000000D2, 0x000000E5, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000003, 0x00000017, 0x0000004F, | |
0x00000050, 0x00000062, 0x0000007E, 0x00000091, 0x00000097, 0x000000B1, 0x000000E4, 0x000000E9, 0x000000EC, | |
0x000000FD, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000051, 0x00000057, 0x0000005E, 0x000000B3, 0x000000DC, 0x000000F1, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000002, 0x0000000C, 0x0000004B, 0x0000005A, 0x0000008D, 0x00000095, 0x000000B8, 0x000000DB, 0x000000EF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000019, 0x0000008B, 0x000000D8, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000001A, 0x0000006A, 0x0000007B, 0x000000B0, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x0000005E, 0x0000006B, 0x000000AB, 0x000000AF, 0x000000F5, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000001B, 0x00000058, 0x0000008C, | |
0x00000096, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000050, 0x000000B5, 0x000000E5, 0x000000FD, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000001, 0x00000007, 0x00000052, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000001D, 0x0000006D, 0x0000006F, | |
0x0000007C, 0x0000009F, 0x000000B7, 0x000000BE, 0x000000D4, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000027, 0x0000002B, 0x00000075, 0x00000089, 0x000000A3, 0x000000D0, | |
0x000000D4, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x0000002E, 0x000000CD, 0x000000F4, 0x000000FE, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000000C, 0x00000012, 0x00000042, | |
0x00000070, 0x00000075, 0x00000079, 0x00000097, 0x00000099, 0x000000BF, 0x000000CE, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000015, 0x0000007D, 0x00000088, 0x000000A3, 0x000000B8, 0x000000C9, | |
0x000000F1, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x0000001A, 0x0000001E, 0x00000052, 0x00000086, 0x000000AE, 0x000000D7, 0x000000E9, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000000D, 0x000000AD, 0x000000AF, | |
0x000000C0, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000008, 0x0000004D, 0x0000006C, 0x00000074, 0x00000076, 0x0000007A, | |
0x000000A9, 0x000000AE, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000000, 0x0000000C, 0x00000017, 0x0000001E, 0x00000024, 0x00000027, 0x00000064, 0x00000067, 0x000000CC, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000003, 0x0000003D, 0x00000084, | |
0x00000085, 0x000000CD, 0x000000EB, 0x000000F8, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000057, 0x00000084, 0x0000008A, 0x000000B6, 0x000000CD, 0x000000E9, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000002, 0x00000021, 0x0000002E, 0x0000003B, 0x00000073, 0x00000074, 0x000000A0, 0x000000E1, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000021, 0x00000033, 0x00000037, | |
0x00000067, 0x00000072, 0x000000A1, 0x000000CA, 0x000000E1, 0x000000FB, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000023, 0x00000038, 0x00000047, 0x00000048, 0x0000004B, 0x0000004C, | |
0x00000057, 0x00000059, 0x00000069, 0x00000090, 0x000000A0, 0x000000BA, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000031, 0x00000035, 0x0000003C, 0x00000093, 0x000000A1, 0x000000DE, 0x000000EE, 0x000000FD, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000003, 0x00000066, 0x0000008C, | |
0x00000091, 0x00000094, 0x000000A0, 0x000000B0, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000040, 0x0000007A, 0x00000096, 0x000000A4, 0x000000E0, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000030, 0x0000003D, 0x0000005A, 0x0000006C, 0x00000080, 0x000000E6, 0x000000ED, 0x000000F2, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000004, 0x00000019, 0x00000082, | |
0x00000088, 0x00000090, 0x00000094, 0x000000AC, 0x000000F9, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000022, 0x00000028, 0x0000003C, 0x0000006E, 0x00000079, 0x0000007E, | |
0x0000008E, 0x00000091, 0x00000099, 0x0000009D, 0x000000A0, 0x000000CC, 0x000000EC, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000008, 0x00000033, 0x00000082, 0x0000008C, 0x00000090, 0x000000AA, 0x000000BC, 0x000000F8, 0x000000FE, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000017, 0x00000049, 0x00000093, | |
0x000000C7, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000019, 0x00000047, 0x0000005B, 0x00000060, 0x00000065, 0x000000BD, | |
0x000000F2, 0x000000F5, 0x000000F6, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000020, 0x0000002B, 0x00000031, 0x00000047, 0x00000048, 0x00000051, 0x00000054, 0x00000064, 0x00000078, | |
0x000000A1, 0x000000A5, 0x000000B4, 0x000000C8, 0x000000EE, 0x000000FE, 0x00000005, 0x00000011, 0x0000004A, | |
0x0000005D, 0x00000076, 0x00000077, 0x000000FE, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000008, 0x0000006D, 0x0000009A, 0x000000A3, 0x000000CE, 0x000000DC, | |
0x000000E0, 0x000000E4, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000013, 0x0000001D, 0x0000003A, 0x00000046, 0x00000098, 0x0000009C, 0x000000E7, 0x000000F3, 0x000000F5, | |
0x000000F8, 0x000000FC, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000001E, 0x00000034, 0x0000003B, | |
0x00000046, 0x00000079, 0x000000A7, 0x000000B0, 0x000000C4, 0x000000E0, 0x000000E7, 0x000000F6, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000070, 0x00000087, 0x00000097, 0x0000009E, 0x000000A6, 0x000000FB, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x0000001C, 0x00000021, 0x0000002B, 0x00000039, 0x0000004A, 0x0000006C, 0x00000081, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000006, 0x00000041, 0x00000064, | |
0x0000007F, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000020, 0x00000022, 0x0000005C, 0x000000B0, 0x000000B6, 0x000000B9, | |
0x000000C2, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000014, 0x0000001E, 0x00000079, 0x00000092, 0x00000096, 0x000000BC, 0x000000C7, 0x000000DA, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000016, 0x00000046, 0x0000007D, | |
0x00000089, 0x000000D5, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000043, 0x0000004C, 0x0000006A, 0x0000007D, 0x0000007F, 0x0000008D, | |
0x000000C2, 0x000000F2, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, | |
0x00000029, 0x00000045, 0x00000051, 0x00000069, 0x00000091, 0x000000B6, 0x000000EA, 0x000000F5, 0x000000FF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x00000011, 0x00000036, 0x00000038, | |
0x00000040, 0x0000005C, 0x00000099, 0x000000D1, 0x000000E9, 0x000000EE, 0x000000F9, 0xFFFFFFFF, 0xFFFFFFFF, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0x0000004B, 0x00000058, 0x00000071, 0x00000084, 0x000000C6, 0x000000F3, | |
0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF, 0xFFFFFFFF] | |
arr = np.array(_arr).reshape((4, 21, 15)) | |
S = list(range(256)) | |
with open('./cipher-release', 'rb') as f: | |
src = f.read() | |
src = list(src) | |
with open('output', 'rb') as f: | |
final = f.read() | |
final = list(final) | |
key = [[-1 for order in range(21)] for round in range(4)] | |
for i in range(256): | |
S[i] = final[src.index(i)] | |
if len(np.argwhere(arr == i)) == 1: | |
round, order_i, j = list(np.argwhere(arr == i)[0]) | |
key[round][S[i] - i] = order_i | |
# print(f"round={round},order[{S[i]-i}]={order_i}") | |
flag = b'' | |
for round in range(4): | |
order = key[round] | |
seed = 0 | |
pre_order = list(range(21)) | |
for i in range(21): | |
j = pre_order.index(order[i]) | |
pre_order[i], pre_order[j] = pre_order[j], pre_order[i] | |
seed += math.factorial(20 - i) * (j - i) | |
flag += seed.to_bytes(8, 'big') | |
print(flag)# *ctf{b0rIn9_67hdnm_cIph3ri_7292} |
