hgame部分wp

其他 2019-04-17 13:49:50 阅读次数: 0

RE

HelloRe

明文在代码中可直接找到

わかります

首先找到关键函数,发现输入36位长的字符串,经过处理作为6*6的矩阵参与运算

mark

ptr是将输入值每位右移四位,v7是每位与0xf异或,得知这两个矩阵后爆破即可得到flag

观察可知sub_40078E为两个矩阵相乘,sub_400892为两个矩阵相加,此处感谢黏黏大佬安利的云算子平台,ptr结果如下:

mark

其他步骤如下:

Python>r2=[0x00000010, 0x00000008, 0x00000008, 0x0000000E, 0x00000006, 0x0000000B, 0x00000005, 0x00000017, 0x00000005, 0x0000000A, 0x0000000C, 0x00000017, 0x0000000E, 0x00000017, 0x00000013, 0x00000007, 0x00000008, 0x0000000A, 0x00000004, 0x0000000D, 0x00000016, 0x00000011, 0x0000000B, 0x00000016, 0x00000006, 0x0000000E, 0x00000002, 0x0000000B, 0x00000012, 0x00000009, 0x00000005, 0x00000008, 0x00000008, 0x0000000A, 0x00000010, 0x0000000D]

Python>a2=[0x00000008, 0x00000001, 0x00000007, 0x00000001, 0x00000001, 0x00000000, 0x00000004, 0x00000008, 0x00000001, 0x00000002, 0x00000003, 0x00000009, 0x00000003, 0x00000008, 0x00000006, 0x00000006, 0x00000004, 0x00000008, 0x00000003, 0x00000005, 0x00000007, 0x00000008, 0x00000008, 0x00000007, 0x00000000, 0x00000009, 0x00000000, 0x00000002, 0x00000003, 0x00000004, 0x00000002, 0x00000003, 0x00000002, 0x00000005, 0x00000004, 0x00000000]

Python>t=[]
Python>for i in range(36):
Python>    t.append(r2[i]-a2[i])
Python>t
Python>t
[8, 7, 1, 13, 5, 11, 1, 15, 4, 8, 9, 14, 11, 15, 13, 1, 4, 2, 1, 8, 15, 9, 3, 15, 6, 5, 2, 9, 15, 5, 3, 5, 6, 5, 12, 13]
Python>v7=t
Python>ptr=[6,6,6,6,6,7,3,5,7,6,6,6,6,5,4,6,7,7,3,7,5,6,7,5,7,6,7,7,5,7,7,6,6,3,6,7]
Python>f=[]
Python>for i in range(36):
Python>    for j in range(256):
Python>        if j>>4==ptr[i] and j&0xf==v7[i]:
Python>            f.append(j)
Python>t=''
Python>for i in f:
Python>    t+=str(chr(i))
Python>t
hgame{1_think_Matr1x_is_very_usef5l}

r&xor

把关键cmp语句patch掉,改成cmp eax eax,在这句设断点,看寄存器值,注意十六进制

Pro的Python教室

把中间部分base64解密一下在和另外两部分拼接起来

python3&4

03f3 0d0a 版本
F1 E1 53 5C 时间
63  block
0000 0000 argument
0000 0000 nlocals
0500 0000 栈空间
4000 0000 flags
73 类型 string
(注意小端序)
0000 0132 长度  bytes
0  71 0003 跳至偏移为3的字节码
3  71 0009 跳至偏移为9的字节码
9  71 000e 跳至偏移为14的字节码
14 47 6464 print列表
17 00 6400 终止

由此可知python混淆原理,将该文件字节码修改即可,删除71 03 00 71 09 00 64 0F 00 71 0E 00 47 64,并修改code区域长度为0x0132-14=0x0124 反汇编得出代码

#!/usr/bin/env python
# encoding: utf-8
# 如果觉得不错,可以推荐给你的朋友!http://tool.lu/pyc
import string
letters = list(string.letters) + list(string.digits) + [
    '+',
    '/']
print letters
dec = 'FcjTCgD1EffEm2rPC3bTyL5Wu2bKBI9KAZrwFgrUygHN'

def encode(input_str):
    continue
    str_ascii_list = [ '{:0>8}'.format(str(bin(ord(i))).replace('0b', '')) for i in input_str ]
    output_str = ''
    equal_num = 0
    for x in [
        0,
        6,
        12,
        18]:
        continue
        temp_str_list = [][temp_str[x:x + 6]]
        continue
        temp_str_list = [ int(x, 2) for x in temp_str_list ]
        if equal_num:
            temp_str_list = temp_str_list[0:4 - equal_num]
        continue
        ''.join += []([ letters[x] for x in temp_str_list ])
        str_ascii_list = str_ascii_list[3:]
    output_str = output_str + '=' * equal_num
    return output_str

print "Welcome to Processor's Python Classroom Part 3&4!\n"
print 'qi shi wo jiu shi lan cai ba liang dao ti fang zai yi qi.'
print "Now let's start the origin of Python!\n"
print 'Plz Input Your Flag:\n'
enc = raw_input()
lst = list(enc)
lst.reverse()
llen = len(lst)
for i in range(llen):
    if i % 2 == 0:
        lst[i] = chr(ord(lst[i]) - 2)
    lst[i] = chr(ord(lst[i]) + 1)

enc2 = ''
enc2 = enc2.join(lst)
enc3 = encode(enc2)
if enc3 == dec:
    print "You're right! "
else:
    print "You're Wrong! "
import string
letters = list(string.letters) + list(string.digits) + [
    '+',
    '/']
dec = 'FcjTCgD1EffEm2rPC3bTyL5Wu2bKBI9KAZrwFgrUygHN'

def encode(input_str):
    continue
    str_ascii_list = [ '{:0>8}'.format(str(bin(ord(i))).replace('0b', '')) for i in input_str ]
    output_str = ''
    equal_num = 0
    for x in [
        0,
        6,
        12,
        18]:
        continue
        temp_str_list = [][temp_str[x:x + 6]]
        continue
        temp_str_list = [ int(x, 2) for x in temp_str_list ]
        if equal_num:
            temp_str_list = temp_str_list[0:4 - equal_num]
        continue
        ''.join += []([ letters[x] for x in temp_str_list ])
        str_ascii_list = str_ascii_list[3:]
    output_str = output_str + '=' * equal_num
    return output_str

print "Welcome to Processor's Python Classroom Part 3&4!\n"
print 'qi shi wo jiu shi lan cai ba liang dao ti fang zai yi qi.'
print "Now let's start the origin of Python!\n"
print 'Plz Input Your Flag:\n'
enc = raw_input()
lst = list(enc)
lst.reverse()
llen = len(lst)
for i in range(llen):
    if i % 2 == 0:
        lst[i] = chr(ord(lst[i]) - 2)
    lst[i] = chr(ord(lst[i]) + 1)

enc2 = ''
enc2 = enc2.join(lst)
enc3 = encode(enc2)
if enc3 == dec:
    print "You're right! "
else:
    print "You're Wrong! "

分析得出flag

Crypto

Mix

摩斯密码->十六进制转字符->栅栏密码->凯撒密码

perfect_secrecy

OTP 一次一密。

https://www.jianshu.com/p/ea2bda3a0099

Base全家`

import base64
file_object = open('enc.txt') 
file_context = file_object.read()
mid_1=base64.b64decode(file_context)
mid_2=base64.b64decode(mid_1)
mid_3=base64.b16decode(mid_2)
mid_4=base64.b16decode(mid_3)
mid_5=base64.b16decode(mid_4)
mid_6=base64.b32decode(mid_5)
mid_7=base64.b16decode(mid_6)
mid_8=base64.b32decode(mid_7)
mid_9=base64.b64decode(mid_8)
mid_10=base64.b16decode(mid_9)
mid_11=base64.b64decode(mid_10)
mid_12=base64.b16decode(mid_11)
mid_13=base64.b16decode(mid_12)
mid_14=base64.b16decode(mid_13)
mid_15=base64.b16decode(mid_14)
mid_16=base64.b32decode(mid_15)
mid_17=base64.b64decode(mid_16)
mid_18=base64.b64decode(mid_17)
mid_19=base64.b64decode(mid_18)
print(base64.b32decode(mid_19))

easy_rsa

e = 12

p = 58380004430307803367806996460773123603790305789098384488952056206615768274527

q = 81859526975720060649380098193671612801200505029127076539457680155487669622867

ciphertext = 206087215323690202467878926681944491769659156726458690815919286163630886447291570510196171585626143608988384615185921752409380788006476576337410136447460

e与phi有共同因子四所以真正的公钥不是12,而是3

import gmpy2
p=gmpy2.mpz(58380004430307803367806996460773123603790305789098384488952056206615768274527)
q =gmpy2.mpz( 81859526975720060649380098193671612801200505029127076539457680155487669622867)
c = gmpy2.mpz(206087215323690202467878926681944491769659156726458690815919286163630886447291570510196171585626143608988384615185921752409380788006476576337410136447460)
n=gmpy2.mpz(p*q)
phi=gmpy2.mpz((p-1)*(q-1))
d=gmpy2.mpz(gmpy2.invert(3,(phi)))
m4=pow(c,d,n)
print(m4)
i=0
while True:
    if gmpy2.iroot(m4+i*n,4)[1]:
        x=gmpy2.iroot(m4+i*n,4)[0]
        print(hex(x),m4+i*n)
        break
    i+=1

猜你喜欢

转载自blog.csdn.net/shannow_123/article/details/88234246
今日推荐
基于大语言模型的开源知识库问答系统 MaxKB GitHub Star 数量突破 5,000 个!
美国拟限制 AI 大模型出口中国和俄罗斯
苹果将与 OpenAI 达成协议,将 ChatGPT 应用于 iPhone
openKylin 社区生态委员会第六次会议圆满召开
阿里云正式发布通义千问 2.5
Python 3.13 发布首个 Beta:实验性自由线程模式和 JIT、改进交互式解释器
Stack Overflow 拿我的代码去训练 AI 大模型,还封了我的账号
Pop!_OS 的 COSMIC 桌面完成 App Store 上架工作
《2024 年一季度互联网投融资运行情况》研究报告
报告:Django 仍然是 74% 开发者的首选
15 年前上了“FFmpeg 耻辱柱”,今天他还得谢谢咱——腾讯QQPlayer一雪前耻?
TIOBE 5 月榜单:Fortran “复活”进入 Top 10
周排行
记一下去大梅沙的准备(2018-05-26)
Spring 注解 事务
基于HTTP协议的客户端缓存
阿里云rds 备份和还原
[PHP] 几个拖慢 PHP 程序/API 运行速度的点
python 代码风格------------PEP8规则
js控制json生成菜单——自制菜单(一)
将字符串: 'k:1|k1:2|k2:3|k3:4 ' ,处理成 python 字典: {'k':1, 'k1':2, ...}
微信小程序转支付宝小程序
Qt551.窗口滚动条
每日归档
更多
2024-05-13(18)
2024-05-12(0)
2024-05-11(38)
2024-05-10(38)
2024-05-09(35)
2024-05-08(42)
2024-05-07(14)
2024-05-06(40)
2024-05-05(0)
2024-05-04(7)

代码天地 © 2018 codetd.com

境外服务器   最新电视剧2022