Hello 小伙伴们~
感谢大家参与本年度
获奖名单在文章的最后哦~
再次感谢合作伙伴为大家准备的小礼物~
喏,Writeup来啦!
圣诞解题优秀Writeup
初探
# Embedded file name: 3.py
import hashlib
import base64
from Crypto.Cipher import AES
from Crypto import Random
def decrypt(data, password):
bs = AES.block_size
if len(data) <= bs:
return data
unpad = lambda s: s[0:-ord(s[-1])]
iv = data[:bs]
cipher = AES.new(password, AES.MODE_CBC, iv)
data = unpad(cipher.decrypt(data[bs:]))
return data
encrypt_data = '......'
md5 = hashlib.md5()
fn = raw_input()
md5.update(fn)
if '10fb15c77258a991b0028080a64fb42d' == md5.hexdigest():
print 'Are you robot?'
print '87 + 20 = ?'
ans = int(raw_input())
if int(ans) == 107:
try:
md5 = hashlib.md5()
inp = str(int(ans))
md5.update(inp)
password = md5.hexdigest()
encrypt_data = base64.b64decode(encrypt_data)
decrypt_data = decrypt(encrypt_data, password)
f = open(fn, 'wb')
f.write(decrypt_data)
f.close()
except:
pass把前面的md5和算术题去掉,运行,能得到一个图片,上面有一小点字母或者数字,代码最顶上注释有第几个,大概就是拼起来吧
写脚本
解包
改了下pyinstxtractor.py,这里贴部分代码
def main(argv):
arch = PyInstArchive(argv)
if arch.open():
if arch.checkFile():
if arch.getCArchiveInfo():
arch.parseTOC()
arch.extractFiles()
arch.close()
print('[*] Successfully extracted pyinstaller
archive: {0}'.format(argv))
print('')
print('You can now use a python decompiler on the
pyc files within the extracted directory')
return
arch.close()
if __name__ == '__main__':
path = r'E:BaiduNetdiskDownloadquiz'
li = os.listdir(r'E:BaiduNetdiskDownloadquiz')
for l in li:
if l.endswith('exe'):
main(r'E:BaiduNetdiskDownloadquiz' + '\' + l)补头
import os
li = os.listdir(r'./')
print(li)
for l in li:
if l.endswith('exe_extracted'):
ll = os.listdir('./' + l)
bt = b'x03xf3rnpyi0'
with open('./' + l + '/' + ll[0], 'rb+') as f:
so = f.read()
with open('./' + ll[0]+'.pyc', 'wb+') as f:
f.write(bt)
f.write(so)反编译pyc
直接用的图形化的 EasyPythonDecompiler.exe,省事
提取 encrypt_data 和算术题答案
暴力了一点,这里是 python2
import os
import hashlib
import base64
from Crypto.Cipher import AES
from Crypto import Random
def decrypt(data, password):
bs = AES.block_size
if len(data) <= bs:
return data
unpad = lambda s: s[0:-ord(s[-1])]
iv = data[:bs]
cipher = AES.new(password, AES.MODE_CBC, iv)
data = unpad(cipher.decrypt(data[bs:]))
return data
path=r'./output'
for i in range(1,60):
with open(path+'/'+str(i)+'.pyc_dis') as f:
s=f.read()
# print()
md5 = hashlib.md5()
inp = str(eval(s.split(''')[7][:-3]))
md5.update(inp)
password = md5.hexdigest()
encrypt_data = base64.b64decode(s.split(''')[1])
decrypt_data = decrypt(encrypt_data, password)
f = open(path+'/'+str(i)+'.png', 'w')
f.write(decrypt_data)
f.write('n')
f.close()
from PIL import Image
image_white = Image.new('RGB', (2400, 100), 0xFFFFFF)
posx = 0
for i in range(1, 60):
im = Image.open(r'E:BaiduNetdiskDownloadpng' + '\' +
str(i) + '.png')
image_white.paste(im, (posx, 0))
posx += im.width
image_white.save('./result.png')
image_white.show()读网址
读了半天,一直错了,甚至让我一直以为套娃了个web题,要打那个Gh0st1.0
网站,扫了半天目录,看了半天代码
仔细拼了一下出来图片了
解出彩蛋链接:https://www.chamd5.org/e1f10acc44f611ebb3780242ac130002.png
获奖名单
🎄 解题获奖名单
|
第一名🏆 |
Satuer |
| 第二名🥈 | sherlly |
| 第三名🥉 | G1ow5ton3_j0jo |
| 第四名 | [空白] |
| 第五名 | SKY |
| 第六名 | sudo |
| 第七名 | 祈月 |
🎄 抽奖获奖名单
请小宝贝们尽快发送收货地址至后台哦~
招新小广告
ChaMd5 Venom 招收大佬入圈
新成立组IOT+工控+样本分析 长期招新
本文始发于微信公众号(ChaMd5安全团队):2020圣诞解密活动-Writeup
免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论