失窃的工艺
附件为力控的打包文件,实际为zip文件,修改后缀后用搜索功能搜flag{,找到flag
flag为:flag{D076-4D7E-92AC-A05ACB788292}
简单的逆向分析
附件为elf文件,用ida64打开反编译后可以看到主要逻辑是异或,并且能看到密文序列,跳转查看其中的字节码
注意那个2dup(2ah)是代表重复两次2ah,接下来按照逻辑异或回来就行
下面是解密脚本:
# 给定的密文(十六进制表示)
ciphertext_hex = [
"3Ch", "36h", "3Bh", "3Dh", "21h", "1Bh", "1Fh", "9h",
"77h", "32h", "3Bh", "2Ah", "2Ah", "23h", "27h"
]
# 将十六进制字符串转换为整数
ciphertext = []
for hex_str in ciphertext_hex:
# 处理带'h'和不带'h'的情况
if hex_str.endswith('h'):
hex_str = hex_str[:-1]
# 转换为十进制整数
ciphertext.append(int(hex_str, 16))
# 解密密文:每个字节与0x5A异或
decrypted_bytes = []
for byte in ciphertext:
decrypted_byte = byte ^ 0x5A
decrypted_bytes.append(decrypted_byte)
# 将解密后的字节转换为字符
decrypted_text = ''.join([chr(b) for b in decrypted_bytes])
# 计算字节总和
byte_sum = sum(decrypted_bytes)
# 输出结果
print("解密后的字符串:", decrypted_text)
print("字节总和:", byte_sum)
# 可选:输出每个字节的解密过程
print("\n解密过程:")
for i, (cipher_byte, dec_byte) in enumerate(zip(ciphertext, decrypted_bytes)):
print(f"字节 {i+1}: {cipher_byte:02X}h ^ 5Ah = {dec_byte:02X}h ('{chr(dec_byte)}')")
flag:flag{AES-happy}
esayAES
直接ai拷打出来脚本,四重aes
from Crypto.Cipher import AES
import string
from hashlib import sha256
# 已知的c3十六进制值
c3_hex = "62343dfc3e978a1d580b54f345e1ed719c85ab15781acfe8ba3bcef1560c9cf54f187bc204c302a5ed4ebb5b5454151ba9b8b73841e17dc391c30a637ef8cfa14a25d01765231ef93a6faede2d66bad5d124201a2d278522bfd416de294677046d47f2827580cdcb9c0d3b18e4c0c68c8948aaefe4e684c7386b426db7898b5c2090047ff433bb6a75b38beaf81b7ad9404d2f09c642179697e9d3721eefc0eb12ba8c780a8d07672f70b00b9cadef74"
c3 = bytes.fromhex(c3_hex) # Python 3语法:将十六进制字符串转换为字节
# 可能的字符集
dic = string.ascii_letters + string.digits # Python 3中使用ascii_letters
class myAES(object):
def __init__(self, key):
self.bs = 32 # 填充块大小
self.key = key
@staticmethod
def str_to_bytes(data):
u_type = type(b''.decode('utf8'))
if isinstance(data, u_type):
return data.encode('utf8')
return data
def _pad(self, s):
return s + (self.bs - len(s) % self.bs) * myAES.str_to_bytes(chr(self.bs - len(s) % self.bs))
@staticmethod
def _unpad(s):
return s[:-ord(s[len(s) - 1:])]
def decrypt(self, enc):
iv = enc[:AES.block_size]
cipher = AES.new(self.key, AES.MODE_CBC, iv)
return self._unpad(cipher.decrypt(enc[AES.block_size:]))
def crack_aes2_key():
# 暴力枚举prikey[3:6],共3个字符
for a in dic:
for b in dic:
for c in dic:
prikey_part = a + b + c
key = sha256(prikey_part.encode()).digest() # Python 3需要编码字符串为字节
aes = myAES(key)
# 解密c3得到c2
try:
c2 = aes.decrypt(c3)
except:
continue
# 解密c2得到c1
try:
c1 = aes.decrypt(c2)
except:
continue
# 解密c1得到c0
try:
c0 = aes.decrypt(c1)
except:
continue
# c0是AES1加密的结果,包含IV和密文,长度至少为16+16=32字节
if len(c0) < 32:
continue
# 尝试破解AES1的密钥
flag = crack_aes1_key(c0)
if flag:
print("找到flag:", flag)
return flag
return None
def crack_aes1_key(c0):
# 暴力枚举prikey[0:3],共3个字符
for a in dic:
for b in dic:
for c in dic:
prikey_part = a + b + c
key = sha256(prikey_part.encode()).digest() # Python 3需要编码字符串为字节
aes = myAES(key)
try:
decrypted_bytes = aes.decrypt(c0) # 解密得到字节
flag = decrypted_bytes.decode('utf-8', errors='ignore') # 转换为字符串,忽略解码错误
except:
continue
# 验证flag是否符合UUID格式 (8-4-4-4-12)
if len(flag) == 36 and flag.count('-') == 4:
parts = flag.split('-')
if len(parts) == 5 and len(parts[0]) == 8 and len(parts[1]) == 4 and len(parts[2]) == 4 and len(parts[3]) == 4 and len(parts[4]) == 12:
# 检查是否所有字符都是字母数字
if all(p.isalnum() for p in parts):
return flag
return None
if __name__ == "__main__":
flag = crack_aes2_key()
if flag:
with open("flag_result.md", "w", encoding="utf-8") as f:
f.write(f"找到的flag为:{flag}")
print("flag已保存到flag_result.md")
else:
print("未找到flag")
flag:flag{5c80c096-6dcd-40cd-bfe7-a70587b31215}
easypicgame
随波逐流一把梭,实际分析的话用010打开查看就可以看到这里面有两个图拼起来的,稍微一看就看到flag了
flag:flag{d1de0135cc715365ae9c5a4997874deb}
