BUUMisc通关8

【SUCTF2018】dead_z3r0

知识点：pyc隐写、pyc隐写工具stegosaurus(剑龙)

stegosaurus(剑龙) 提取pyc隐写文件。

用法：

1

./stegosaurus -x key.pyc

pyc隐写参考文章

关于pyc文件头的记录：

python版本	文件头magic number 值
python 2.7	03 F3 0D 0A
python 3.6	33 0D 0D 0A
python3.7	42 0D 0D 0A
python 3.8	55 0D 0D 0A

参考文章——长亭技术专栏

pyc 文件的格式：

magic number + 源代码文件信息 + PyCodeObject

4个字节的 magic number
12个字节的源代码文件信息（不同版本的长度不同）
序列化之后的 PyCodeObject

1

# python 2.7

1

# python 3.6

1
2


# python 3.7
# 从 Python3.7 开始支持 hash-based pyc 文件

题目分析

010editor 分析文件，发现开头的文件好像是base64编码，去解密了一下，乱码没啥用。

在后面的一段好像是 pyc 文件，33 0D 0D 0A python3.6 的pyc文件头

从后面的这段字符串也可以看出这是 python 文件

1
2


# 将 33 0D 0D 0A 开头的这段文本复制出来，另存为文本 key
# kali file命令

接下来就是用 stegosaurus(剑龙) 提取隐写文件。

用法：

1

./stegosaurus -x key.pyc

SUCTF{Z3r0_fin411y_d34d}

【XMAN2018排位赛】ppap

知识点：base64解码成图片

在线base64解码为图片

题目分析

追踪TCP流，找到 flag信息。发现一大串 base64 编码，用在线网站解码

在线base64解码为图片

发现无效字符 ~ ，在文本中找一下。

重新解码base64

解码后发现，三段分别解码为不同的数据。中间一段为 ZIP，最后一段为 XMl,貌似没啥用。

得到的ZIP 文件需要密码

看 ROOT师傅和末初师傅的blog说用这个网站能解出来。反正我是没搞出来。

https://passwordrecovery.io/zip-file-password-removal/

得到密码：skullandcrossbones

1

flag{b31Ng_4_P1r4tE_1s_4lR1GHT_w1Th_M3}

【BSidesSF2020】barcoder

知识点：手工修复条形码、修图工具GIMP

找了个可以替代PS的修图软件

GIMP下载

下载了不会用，这道题还是用的自带的画图软件

题目分析

用 StegSolve 将红色去掉

用win10自带的画图一把梭，人都要没了，傻逼。

用手机软件，中国编码，扫描得到 flag

CTF{way_too_common}

【INSHack2018】Spreadshit

知识点：Excel隐写

题目分析

用 Excel 打开题目给的 spreadshit.ods 文件，发现一遍空白。根据经验肯定有隐写的内容。

将表格全选，选择菜单栏中的，表单格式 => 突出显示单元格规则 => 文本包含

选择规则时在表格上随便点击一下，发现有文本出现

1

# flag{3cf6463910edffb0}

【GKCTF 2021】FireFox Forensics

知识点：FireFox密码取证

FireFox密码取证：学习文章

工具：

firepwd 爆破密码

kali安装 firewd过程：

1
2
3
4
5
6
7


#下载 git clone https://github.com/lclevy/firepwd.git

#安装 pip3 install -r requirements.txt

#所需模块：
# pyasn1  （这个我没装，可能我python3上面有吧）
# PyCryptodome (我学密码的时候经常用到的模块，这里就没装了，自己有)

题目分析

安装好 firewd 后执行命令

1

# python3 firepwd.py -d ./FireFox_Forensics

1

GKCTF{9cf21dda-34be-4f6c-a629-9c4647981ad7}

【RCTF2019】printer

知识点：打印机编程(BITMAP、BAR)

解题EXP:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95


from PIL import Image
from pwn import *

img = Image.new( '1', (1000,1000),color=1)
pixels = img.load()

data1 = 'FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF 00FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFC3FF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF E7FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFE7FF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF E7FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFE7FF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF E7FFE3FF FE1FFFFF FFFFF807 C03C603F C07C07E0 007F7FF0 1F8067FF 007FF803 FC07C03F FF1FF1F0 4F8FF1FF 1FFF1FFF 3FFCFF1F 27FC7F1F F3E1FF1F F9FFFF1F F1FC1FCF F8FF1FFF 1FFF3FFE FE3F87F8 FF9FEFF8 FF1FF9FF FF8FF1FC 3FC7FCFF 1FFF1FFF 1FFEFC7F C7F9FF8F DFFC7F1F F9FFFF8F F1FC7FE3 FC7F1FFF 1FFF1FFE FCFFE7F1 FF8F9FFC 3F1FF9FF FFC7F1FC 7FE3FE3F 1FFF1FFF 0FFEF8FF E7F1FF0F BFFE3F1F F9FFFFC7 F1FC7FE3 FE3F1FFF 1FFF0FFE F8FFE7E1 FF8F3FFE 3F1FF9FF FFE3F1FC 7FE3FF1F 1FFF1FFF 47FEF8FF E7E3FF9F 7FFE1F1F F9FFFFE3 F1FC7FF3 FF8E1FFF 1FFF47FE F9FFE7E3 FFFFFFFF 1F1FF9FF FFF1F1FC 7FF3FF8C 1FFF1FFF 63FEF9FF E7F1FFFF FFFF1F1F F9FFFFF1 F1FC7FF3 FFC11FFF 1FFF63FE F9FFE7F1 FFFFFFFF 1F1FF9FF FFF1F1FC 7FE3FFE3 1FFF1FFF 71FEF9FF E7F1FFFF FFFF1F1F F9FFFFF8 F1FC7FE3 FFE71FFF 1FFF71FE F8FFE7F8 FFFFFFFF 0F1FF9FF FFF8F1FC 7FE3FFCF 1FFF1FFF 78FEF8FF E7FCFFFF FFFF0F1F F9FFFFFC 61FC7FE7 FF9F1FFF 1FFF78FE F8FFC7FE 3FFFFFFF 0F1FF9FF FFFC41FC 7FC7FF3F 1FFF1FFF 7C7EFCFF C7FF83FF FFFF0F9F F1FFFFFE 11FC3F8F FF7F1FFF 1FFF7C7E FC7FA7FF 87FFFFFF 0F9FE9FF FFFE31FC 1F1FFE7F 1FFF1FFF 7E3EFE3E 67FE3FFF FFFF1F8F 99FFFFFF 31FC403F E01F1FFF 1FFF7E3E FF80E0FC 7FFFFFFF 1FC039FF FFFE71FC 79FFFFFF 1FFF1FFF 7F1EFFF3 EFF8FFFF FFFF1FF0 F9FFFFFE F1FC7FFF FFFF1FFF 1FFF7F0E FFFFFFF8 FFFFFFFF 1FFFF9FF FFFCF1FC 7FFFFFFF 1FFF1FFF 7F8EFFFF FFF8FFFF FFFE1FFF F9FFFFF9 F1FC7FFF FFFF1FFF 1FFF7F86 FFFFFFF8 FF9F7FFE 3FFFF9FF FFFBF1FC 7FFFFFFF 1FFF1FFF 7FC6FFFF FFF8FF0F 3FFE3FFF F9FFFFF7 F1FC7FFF FFFF1FFF 1FFF7FC2 FFFFFFF8 FF8FBFFC 7FFFF9FF FFE7F1FC 7FFFFFFF 1FFF1FFF 7FE2FFFF FFF8FF8F 9FFC7FFF F9FFFFCF F1FC7FFF FFFF1FFF 1FFF7FF0 FFFFFFFC FF9F9FF8 FFFFF9FF FF8FF1FC 7FFFFFFF 1FFF1FFF 7FF0FFFF FFFC7F9F 8FF1FFFF F9FFFF0F F0FC3FFF FFFF1FFF 0FFE7FF8 FFFFFFFE 1E7F83E3 FFFFF8FF FC03C03C 0FFFFFFF 03E00078 0FF83FFF FFFF80FF F80FFFFF F83FFFFF FFFDFFFF FFFF3FFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFBFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF'
data1 = bits(int(data1.replace(' ', '').strip(), 16))

data2 = 'FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF C7FFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FE38FFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFDFF7F FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFF9FF 3FFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFF9 FF3FFFFF FFFFFFFF 9FFEFBFF C7FFFFFF E1FFF8FF FFFFFC3F FFFFFFFF F9FF3FF8 FFFFFFFF FF0FFEFB FF39FF00 7F9C7FE7 2FFFFFF3 C3FC07FF FFF87E78 463F803F F01F0FFE 7BFEFEFF F7FF3F3F 9F8FFFFF EFF3FFBF FFFFFC01 FA3F9FFB FFFE7F9F FE71FCFE 7FF7FF7F 9F9FCFFF FFEFFBFF BFFFFFFF C07E7F9F FBFFFE7F FFFC71F9 FF3FF7FE FF9F3FCF FFFFEFFB FFBFFFFF FFFE7E7F 8FFBFFFE 7FFFFD75 F9FF3FF7 FFFFCF3F CFFFFFE7 FFFFBFFF FFFFFE7E 7F9FFBFF FE7FFFFD 35F9FF3F F7FFFFCF 3FCFFFFF E3FFFFBF FFFFFF80 FE7F9FFB FFFE7FFF FD2CF9FF 3FF7FFFF CF3FCFFF FFF07FFF BFFFFFFF 7CFE7F3F FBFFFE7F FFFB2CF9 FF3FF7FE 000F3FCF FFFFFC1F FFBFFFFF FE7E7E7C 7FFBFFFE 7FFFFBAC F9FF3FF7 FE7FCF3F CFFFFFFF 87FFBFFF FFFE7E7E 03FFFBFF FE7FFFFB 9EF9FF3F F7FE7FCF 3FCFFFFF FFE7FFBF FFFFFEFE 7E7FFFFB FFFE7FFF FB9E79FF 3FF7FE7F 9F3FCFFF FFEFF3FF BFFFFFFE FE7E7F9F FBFFFE7F FFF79E7C FE7FF7FF 3F9F9F8F FFFFEFF3 FFBFFFFF FE7E7F7F 1FFBFFFE 7F1FF79E 7EFCFFF7 FF3F3F9F 0FFFFFE7 F7FFBFFF FFF27EFF 3F3FFBFF FE7F0FE3 8E3F39FF F7FFCE7F C04FFFFF E1CFFF9F FFFFF019 FF9E7FFB FFFE7F1F FFFFFFC7 FFF7FFF1 FFFBCFFF FFEE3FFF 87FFFFFB E7FFE1FF FBFFE00F FFFFFFFF FFFFF7FF FFFFFFCF FFFFFFFF FFFFFFFF FFFFFFFF FFFBFFFE 7FFFFFFF FFFFFFF7 FFFFFFFF CFFFFFFF FFFFFFFF FFFFFFFF FFFFFBFF FE7FFFFF FFFFFFFF F7FFFFFF FFCFFFFF FFFFFFFF FFFFFFFF FFFFFFFB FFFE7FFF FFFFFFFF FFF7FFFF FFFFCFFF FFFFFFFF FFFFFFFF FFFFFFFF FBFE7E7F FFFFFFFF FFFFF7FF FFFFFFCF FFFFFFFF FF3FFFFF FFFFFFFF FFFBFE7E FFFFFFFF FFFFFFF7 FFFFFFFF CFFFFFFF FFFF1FFF FFFFFFFF FFFFFBFE 7CFFFFFF FFFFFFFF F03FFFFF FFC3FFFF FFFFFF1F FFFFFFFF FFFFFFF8 1F03FFFF FFFFFFFF FFF3FFFF FFFFCFFF FFFFFFFF BFFFFFFF FFFFFFFF F9FFFFFF'
data2 = bits(int(data2.replace(' ', '').strip(), 16))

cmds = '''
BAR 348, 439, 2, 96
BAR 292, 535, 56, 2
BAR 300, 495, 48, 2
BAR 260, 447, 2, 88
BAR 204, 447, 56, 2
BAR 176, 447, 2, 96
BAR 116, 455, 2, 82
BAR 120, 479, 56, 2
BAR 44, 535, 48, 2
BAR 92, 455, 2, 80
BAR 20, 455, 72, 2
BAR 21, 455, 2, 40
BAR 21, 495, 24, 2
BAR 45, 479, 2, 16
BAR 36, 479, 16, 2
BAR 284, 391, 40, 2
BAR 324, 343, 2, 48
BAR 324, 287, 2, 32
BAR 276, 287, 48, 2
BAR 52, 311, 48, 2
BAR 284, 239, 48, 2
BAR 308, 183, 2, 56
BAR 148, 239, 48, 2
BAR 196, 191, 2, 48
BAR 148, 191, 48, 2
BAR 68, 191, 48, 2
BAR 76, 151, 40, 2
BAR 76, 119, 2, 32
BAR 76, 55, 2, 32
BAR 76, 55, 48, 2
BAR 112, 535, 64, 2
BAR 320, 343, 16, 2
BAR 320, 319, 16, 2
BAR 336, 319, 2, 24
BAR 56, 120, 24, 2
BAR 56, 87, 24, 2
BAR 56, 88, 2, 32
BAR 224, 247, 32, 2
BAR 256, 215, 2, 32
BAR 224, 215, 32, 2
BAR 224, 184, 2, 32
BAR 224, 191, 32, 2
BAR 272, 311, 2, 56
BAR 216, 367, 56, 2
BAR 216, 319, 2, 48
BAR 240, 318, 2, 49
BAR 184, 351, 2, 16
BAR 168, 351, 16, 2
BAR 168, 311, 2, 40
BAR 152, 351, 16, 2
BAR 152, 351, 2, 16
'''
cmds = cmds.strip().split('\n')


def draw_bitmap(pixels, x, y, width, height, data):
  width *= 8
  for w in range(width):
    for h in range(height):
      rw = w + x
      rh = h + y
      pixels[rw, rh] = data1[w+h*width]

def draw_bar(pixels, x, y, width, height):
  for w in range(width):
    for h in range(height):
      rw = w + x
      rh = h + y
      pixels[rw, rh] = 0


draw_bitmap(pixels, 138, 75, 26, 48, data1)
draw_bitmap(pixels, 130,579,29,32, data2)

for each in cmds:
    params = each.replace('BAR ','').split(', ')
    params = map(int, params)
    x, y, width, height = params
    draw_bar(pixels, x, y, width, height)

img = img.transpose(Image.ROTATE_180)
img.save('test.png')

题目分析

分析流量发现两个特殊的流量

参考文章

flag{my_tsc_hc3pnikdk}

【QCTF2018】picture

知识点：LSB加密隐写、DES解密

关于LSB隐写介绍：

LSB隐写只适用于无损压缩(png) 或无压缩(bmp)图片

做题技巧：

遇到LSB隐写题目，先通过 zsteg 无参数地检索一遍数据，然后添加 --all 参数再检索一遍，最后使用StegSolve

flag以数据的形式存在，zsteg能快速解决；flag以图片的形式存在，只能通过StegSolve逐一查看

StegSolve提供"反色"、"数据提取"、"文件格式"、"帧浏览"、"立体试图"、"图像合成"(双图问题)功能

LSB加密隐写,需要用脚本来提取隐写的数据。（需要知道加密的密码）

关于LSB加密隐写参考文章

1
2
3
4


#zsteg 使用

# zsteg 1.png
# zsteg 1.png --all

学习文章：

LSB隐写——examine2's Blog

Lsb图片隐写

DES解密：

GitHub上的DES解密脚本

1
2
3
4
5
6
7


#kali 安装

# git clone https://github.com/liupengs/DES_Python.git

# 使用
# des.py用于加密，des_1.py用于des解密！
python2 des_1.py

题目分析

拿到题目后，在kali里面用命令 file 分析，发现是png 文件。添加后缀名，得到png图片。

用binwalk、foremost分析后，发现没有提取出有效文件

那么对于 PNG图片，最大的可能就是 LSB隐写了。LSB隐写是专门针对 png和bmp这种无损压缩或者无压缩的文件进行的隐写

用工具 Zsteg 进行提取分析，也没有得到有效的文件

1
2


# zsteg 1.png
# zsteg 1.png --all

尝试 LSB加密隐写的破解

关于LSB加密隐写参考文章

1
2
3
4


# 使用方法Usage:
  lsb.py hide <img_file> <payload_file> <password>
  lsb.py extract <stego_file> <out_file> <password>
  lsb.py analyse <stego_file>

关于密码，看了wp才知道是 万物皆空，无欲无求 的首字母缩写 wwjkwywq

拿到一份 进行DES加密相关的代码

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293


#_*_ coding:utf-8 _*_
import re
import sys

ip=  (58, 50, 42, 34, 26, 18, 10, 2,
      60, 52, 44, 36, 28, 20, 12, 4,
      62, 54, 46, 38, 30, 22, 14, 6,
      64, 56, 48, 40, 32, 24, 16, 8,
      57, 49, 41, 33, 25, 17, 9 , 1,
      59, 51, 43, 35, 27, 19, 11, 3,
      61, 53, 45, 37, 29, 21, 13, 5,
      63, 55, 47, 39, 31, 23, 15, 7)

ip_1=(40, 8, 48, 16, 56, 24, 64, 32,
      39, 7, 47, 15, 55, 23, 63, 31,
      38, 6, 46, 14, 54, 22, 62, 30,
      37, 5, 45, 13, 53, 21, 61, 29,
      36, 4, 44, 12, 52, 20, 60, 28,
      35, 3, 43, 11, 51, 19, 59, 27,
      34, 2, 42, 10, 50, 18, 58, 26,
      33, 1, 41,  9, 49, 17, 57, 25)

e  =(32, 1,  2,  3,  4,  5,  4,  5, 
       6, 7,  8,  9,  8,  9, 10, 11, 
      12,13, 12, 13, 14, 15, 16, 17,
      16,17, 18, 19, 20, 21, 20, 21,
      22, 23, 24, 25,24, 25, 26, 27,
      28, 29,28, 29, 30, 31, 32,  1)
 
p=(16,  7, 20, 21, 29, 12, 28, 17,
     1, 15, 23, 26,  5, 18, 31, 10, 
     2,  8, 24, 14, 32, 27,  3,  9,
     19, 13, 30, 6, 22, 11,  4,  25)

s=[ [[14, 4, 13,  1,  2, 15, 11,  8,  3, 10,  6, 12,  5,  9,  0,  7],
     [0, 15,  7,  4, 14,  2, 13,  1, 10,  6, 12, 11,  9,  5,  3,  8],
     [4,  1, 14,  8, 13,  6,  2, 11, 15, 12,  9,  7,  3, 10,  5,  0],    
     [15, 12,  8,  2,  4,  9,  1,  7,  5, 11,  3, 14, 10,  0,  6, 13]],

     [[15,  1,  8, 14,  6, 11,  3,  4,  9,  7,  2, 13, 12,  0,  5, 10],     
     [3, 13,  4,  7, 15,  2,  8, 14, 12,  0,  1, 10,  6,  9, 11,  5],     
     [0, 14,  7, 11, 10,  4, 13,  1,  5,  8, 12,  6,  9,  3,  2, 15],     
     [13,  8, 10,  1,  3, 15,  4,  2, 11,  6,  7, 12,  0,  5, 14,  9]],

     [[10,  0,  9, 14,  6,  3, 15,  5,  1, 13, 12,  7, 11,  4,  2,  8],     
     [13,  7,  0,  9,  3,  4,  6, 10,  2,  8,  5, 14, 12, 11, 15,  1],   
     [13,  6,  4,  9,  8, 15,  3,  0, 11,  1,  2, 12,  5, 10, 14,  7],     
     [1, 10, 13,  0,  6,  9,  8,  7,  4, 15, 14,  3, 11,  5,  2, 12]],

    [[7, 13, 14,  3,  0,  6,  9, 10,  1,  2,  8,  5, 11,  12,  4, 15],     
     [13,  8, 11,  5,  6, 15,  0,  3,  4,  7,  2, 12,  1, 10, 14,9],     
     [10,  6,  9,  0, 12, 11,  7, 13, 15,  1,  3, 14,  5,  2,  8,  4],     
     [3, 15,  0,  6, 10,  1, 13,  8,  9,  4,  5, 11, 12,  7,  2, 14]],


    [[2, 12,  4,  1,  7, 10, 11,  6,  8,  5,  3, 15, 13,  0, 14,  9],     
     [14, 11,  2, 12,  4,  7, 13,  1,  5,  0, 15, 10,  3,  9,  8,  6],     
     [4,  2,  1, 11, 10, 13,  7,  8, 15,  9, 12,  5,  6,  3,  0, 14],     
     [11,  8, 12,  7,  1, 14,  2, 13,  6, 15,  0,  9, 10,  4,  5,  3]],

    [[12,  1, 10, 15,  9,  2,  6,  8,  0, 13,  3,  4, 14,  7,  5, 11],
     [10, 15,  4,  2,  7, 12,  9,  5,  6,  1, 13, 14,  0, 11,  3,  8],     
     [9, 14, 15,  5,  2,  8, 12,  3,  7,  0,  4, 10,  1, 13, 11,  6],     
     [4,  3,  2, 12,  9,  5, 15, 10, 11, 14,  1,  7,  6,  0,  8, 13]],

    [[4, 11,  2, 14, 15,  0,  8, 13,  3, 12,  9,  7,  5, 10,  6,  1],     
     [13,  0, 11,  7,  4,  9,  1, 10, 14,  3,  5, 12,  2, 15,  8,  6],     
     [1,  4, 11, 13, 12,  3,  7, 14, 10, 15,  6,  8,  0,  5,  9,  2],     
     [6, 11, 13,  8,  1,  4, 10,  7,  9,  5,  0, 15, 14,  2,  3, 12]],

   [[13,  2,  8,  4,  6, 15, 11,  1, 10,  9,  3, 14,  5,  0, 12,  7],     
     [1, 15, 13,  8, 10,  3,  7,  4, 12,  5,  6, 11,  0, 14,  9,  2],     
     [7, 11,  4,  1,  9, 12, 14,  2,  0,  6, 10, 13, 15,  3,  5,  8],     
     [2,  1, 14,  7,  4, 10,  8, 13, 15, 12,  9,  0,  3,  5,  6, 11]]]
     
pc1=(57, 49, 41, 33, 25, 17,  9,
       1, 58, 50, 42, 34, 26, 18,
      10,  2, 59, 51, 43, 35, 27,
      19, 11,  3, 60, 52, 44, 36,
      63, 55, 47, 39, 31, 23, 15,
       7, 62, 54, 46, 38, 30, 22,
      14,  6, 61, 53, 45, 37, 29,
      21, 13,  5, 28, 20, 12, 4);

pc2= (14, 17, 11, 24,  1,  5,  3, 28,
      15,  6, 21, 10, 23, 19, 12,  4, 
      26,  8, 16,  7, 27, 20, 13,  2, 
      41, 52, 31, 37, 47, 55, 30, 40, 
      51, 45, 33, 48, 44, 49, 39, 56, 
      34, 53, 46, 42, 50, 36, 29, 32)

d = (  1,  1,  2,  2,  2,  2,  2,  2, 1, 2, 2, 2, 2, 2, 2, 1)

__all__=['desencode']
class DES():

	def __init__(self):
		pass

	def code(self,from_code,key,code_len,key_len):
		output=""
		trun_len=0
		

		code_string=self._functionCharToA(from_code,code_len)
		code_key=self._functionCharToA(key,key_len)
		

		if code_len%16!=0:
			real_len=(code_len/16)*16+16
		else:
			real_len=code_len
		
		if key_len%16!=0:
			key_len=(key_len/16)*16+16
		key_len*=4


		trun_len=4*real_len

		for i in range(0,trun_len,64):
			run_code=code_string[i:i+64]
			l=i%key_len
			run_key=code_key[l:l+64]


			run_code= self._codefirstchange(run_code)
			run_key= self._keyfirstchange(run_key)
			

			for j in range(16):
				

				code_r=run_code[32:64]
				code_l=run_code[0:32]
					

				run_code=code_r
				

				code_r= self._functionE(code_r)
				

				key_l=run_key[0:28]
				key_r=run_key[28:56]
				key_l=key_l[d[j]:28]+key_l[0:d[j]]
				key_r=key_r[d[j]:28]+key_r[0:d[j]]
				run_key=key_l+key_r
				key_y= self._functionKeySecondChange(run_key)


				code_r= self._codeyihuo(code_r,key_y)
				

				code_r= self._functionS(code_r)
				

				code_r= self._functionP(code_r)
				

				code_r= self._codeyihuo(code_l,code_r)
				run_code+=code_r

			code_r=run_code[32:64]
			code_l=run_code[0:32]
			run_code=code_r+code_l
			

			output+=self._functionCodeChange(run_code)
		return output


	def _codeyihuo(self,code,key):
		code_len=len(key)
		return_list=''
		for i in range(code_len):
			if code[i]==key[i]:
				return_list+='0'
			else:
				return_list+='1'
		return return_list

	 		 							
	def _codefirstchange(self,code):
		changed_code=''
		for i in range(64):
			changed_code+=code[ip[i]-1]
		return changed_code


	def _keyfirstchange (self,key):
		changed_key=''
		for i in range(56):
			changed_key+=key[pc1[i]-1]
		return changed_key


	def _functionCodeChange(self, code):
		lens=len(code)/4
		return_list=''
		for i in range(lens):
			list=''
			for j in range(4):
				list+=code[ip_1[i*4+j]-1]
			return_list+="%x" %int(list,2)
		return return_list
	

	def _functionE(self,code):
		return_list=''
		for i in range(48):
			return_list+=code[e[i]-1]
		return return_list		
	

	def _functionP(self,code):
		return_list=''
		for i in range(32):
			return_list+=code[p[i]-1]
		return return_list


	def _functionS(self, key):
		return_list=''
		for i in range(8):
			row=int( str(key[i*6])+str(key[i*6+5]),2)
			raw=int(str( key[i*6+1])+str(key[i*6+2])+str(key[i*6+3])+str(key[i*6+4]),2)
			return_list+=self._functionTos(s[i][row][raw],4)

		return return_list
		

	def _functionKeySecondChange(self,key):
		return_list=''
		for i in range(48):
			return_list+=key[pc2[i]-1]
		return return_list
	

	def _functionCharToA(self,code,lens):
		return_code=''
		lens=lens%16
		for key in code:
			code_ord=int(key,16)
			return_code+=self._functionTos(code_ord,4)		
		if lens!=0:
			return_code+='0'*(16-lens)*4
		return return_code
	

	def _functionTos(self,o,lens):
		return_code=''
		for i in range(lens):
			return_code=str(o>>i &1)+return_code
		return return_code


def tohex(string):
	return_string=''
	for i in string:
		return_string+="%02x"%ord(i)
	return return_string
		
def tounicode(string):
	return_string=''
	string_len=len(string)
	for i in range(0,string_len,2):
		return_string+=chr(int(string[i:i+2],16))
	return return_string


def desencode(from_code,key):
	

	from_code=tohex(from_code)
	key=tohex(key)
	
	des=DES()
	key_len=len(key)
	string_len=len(from_code)		
		
	if string_len<1 or key_len<1:
		print 'error input'
		return False
	key_code= des.code(from_code,key,string_len,key_len)
	return key_code


if __name__  == '__main__':
	if(desencode(sys.argv[1],'mtqVwD4JNRjw3bkT9sQ0RYcZaKShU4sf')=='e3fab29a43a70ca72162a132df6ab532535278834e11e6706c61a1a7cefc402c8ecaf601d00eee72'):
		print 'correct.'
	else:
		print 'try again.'

GitHub上的DES解密脚本

1

# python2 des_1.py

1

QCTF{eCy0AALMDH9rLoBnWnTigXpYPkgU0sU4}

【watevrCTF 2019】Polly

知识点：数学公式计算

题目分析

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12


import symbol
from sympy import *
 
#声明变量x
x = symbols("x")
y = -510233931851656757*x**56/710998587804863451854045647463724949736497978881168458687447040000000000000 + 28538582555324529581*x**55/25392806707316551851930201695133033919160642102898873524551680000000000000 - 361611288555263491*x**54/421055535502492258043032818391295177534479825940370161664000000000000 + 2189223797409040145903*x**53/5129859940872030677157616504067279579628412546040176469606400000000000 - 3001755643562030554208767*x**52/19357962041026530857198552845536904074069481305811986677760000000000000 + 78238787580756843015401*x**51/1781188998990295441405829301208769237584604463177400320000000000000 - 116104436553238240592813791*x**50/11496527230247656900485565886772482623174748513067073536000000000000 + 127279887341335237997305957*x**49/65694441315700896574203233638699900703855705788954705920000000000 - 20305349569334865003353693141*x**48/64170394447571083344765063383345446352972606387257344000000000000 + 755344461848261566273335985217*x**47/16909766104427515205715118053719408160580619250696192000000000000 - 8730828190255482707329907709523*x**46/1583041933180448232024394030560965870352228185171558400000000000 + 76555149545632714960652198194597*x**45/127331633755818662141092563327729863484853136633364480000000000 - 1602375720398047527703588216319184983*x**44/27479475110939521552978869398000199787640242135105536000000000000 + 114295162137526589722365996075069211717*x**43/22572425983986035561375499862643021254133056039550976000000000000 - 13848681865733026134505571948717935637*x**42/34996009277497729552520154825803133727338071379148800000000000 + 153346974308020314565759178978111441*x**41/5485267911833499929862093232884503719018506485760000000000 - 520024520896904430645934556087134499251423*x**40/290210808642664098728215918067635743104754738266112000000000000 + 583372437848702106759949552819801879184581*x**39/5580977089282001898619536885916071982783744966656000000000000 - 46031013908208473758789005123614987736509587*x**38/8272977802935673402659548795593236115655904303513600000000000 + 7353657867840940108498978410191786786833213*x**37/27150699353263793020311260526078188024353353891840000000000 - 92499773752352276492046888338669680452103462189*x**36/7657889561176967262139073481714360724817612636160000000000000 + 4100551582505375935469899571343423946185109603489*x**35/8296047024608381200650662938523890785219080355840000000000000 - 1895954357110172205089772212408286791708615900917*x**34/102036942013899875729927939885587961529432539136000000000000 + 43118050173835025743884479345094473671998423653*x**33/67129567114407812980215749924728922058837196800000000000 - 22765966699209423168314620580071311613337850078228970157*x**32/1114243406791786642970813103550620539901403327365120000000000000 + 2164682230392596021581197470695955891436192181935306391*x**31/3617673398674631957697445141398118636043517296640000000000000 - 920699702649221064972928655611480860602416008467275417*x**30/57052913814223586429637127677963161285274107904000000000000 + 686056125302514633652788467458025065050820545750401507*x**29/1711587414426707592889113830338894838558223237120000000000 - 3138304869574821781724911760498738183508227936479448972609*x**28/342317482885341518577822766067778967711644647424000000000000 + 1270675513242488953141124524513884117237971552020405481903*x**27/6583028517025798434188899347457287840608550912000000000000 - 35251878159156858646651490873547468067999378927697697003224477*x**26/9428213442084348517445341645428327645319566616166400000000000 + 640581045258286772319400657438117285194045922802459043053203*x**25/9620625961310559711678920046355436372775067975680000000000 - 72656459972106788902891971241582058202821865848124369081172639*x**24/66716462086011457208029806848269051769244352512000000000000 + 154039473157326645352130477125406816808322554770621702623189519*x**23/9427326164327705909830298793777148619567136768000000000000 - 1082910009287427089558040173029448590098449209287440350613671*x**22/4822161720883737038276367669451226915379609600000000000 + 24188920823778246702349239533423129779289240972762319245699197*x**21/8570296513025187190754817085251953290515578880000000000 - 2312064026649698678901994207690698059469649821996032406197587664228741*x**20/71419066189405618046396886086957233654685736370176000000000000 + 862370556128011088565191676373092759230061876592574879284609935706793*x**19/2550680935335914930228460217391329773381633441792000000000000 - 32072107483702086982352528206453150709858865925578274033380368180437*x**18/10002670334650646785209647911338548130908366438400000000000 + 1529698138827681013559573339316154298621053459717691815776842419379*x**17/55570390748059148806720266174103045171713146880000000000 - 222611348623707141383036923098732823232255364898093370342989110678452081*x**16/1044260259473944837992951668521686390518442885120000000000000 + 19351471406694225111369749822067705924291211128650839886054241035573*x**15/13048686203253171864759230125976987935703040000000000000 - 788448884149338619773551061237815179858025448137798058040565357883017969*x**14/85480045326791055697402842485438742223090876416000000000000 + 1073836757430890424151052096696872926581023064319957457780403520628397*x**13/21054198356352476772759320809221365079579033600000000000 - 13037261936583491232564987358021148191312145269662640728042654537466177*x**12/52337322240932848864901859644270462537564160000000000000 + 193553176960028089077524490434690010049391798907017144709511622501501*x**11/181523857324358216783809467780676473323520000000000000 - 68187858129806282947338026458215966993811977794098721136854363544114709*x**10/17205436276727086314158740721145118396514304000000000000 + 8945934592679151193925448392874011400632217576523903097012117504044751*x**9/707334602487669104026526007424854867412254720000000000 - 1869710221567968463761175994053678221652715546983576126590166640405599343*x**8/54712331502421205196451786674312523994337902592000000000 + 150097834583670559919903774847355537654811358204762610127392287652832711*x**7/1954011839372185899873278095511161571226353664000000000 - 887795495236087230655513134787312551397755543548982957604351894153*x**6/6324332742830674887191952972548659841433600000000 + 325850556958534026053020666873255701298636569528110069255986051*x**5/1611756757211697568252622935684799553945600000 - 1383255113415521659958099444243664043564187251342510179583421*x**4/6303358038091792437823864786842855398400000 + 1288933044552801369576288324542563196552750611910520778643*x**3/7696407860917939484522423427158553600000 - 58143815812249254268696937296354052881595701176023*x**2/732857216672564586715802770080000 + 76949958412245985708257714245417562997*x/4439171857433454741600 + 119

flag = ""
for i in range(57):
    flag += chr(y.subs(x,i))

print(flag)

注意这里数学计算量太大，为了精确计算，建议使用 sagemath 或者使用python的 sympy 库

1

# watevr{polly_polynomials_youtube.com/watch?v=THNWVVn9JO0}

【INSHack2019】Passthru

知识点：流量分析（TLS）、sslkey.log对称密钥

题目分析

百度了一下 sslkey.log 文件，知道他是用于 TLS加密通信过程中的对称密钥。

使用sslkey解密包内容，编辑>首选项>Protocols>TLS

参考文章

追踪HTTP流，发现在 get请求里有可疑字符 , kcahsni，逆序后不就是 inshack嘛 。

1
2


# http.request.uri.query
# 进行字符串过滤

然后文件 → 导出分组解析结果 → 为纯文本，将这些流量包数据提取出来，再用strings命令将与kcahsni有关的数据提取出来

1
2


#kali
strings 123.txt | grep kcahsni > out.txt

对提取的文本进行分析，可知 kcahsni 后面都有一串 16进制编码。

对重复的数据进行整理得到：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22


'''
9ef773fe97f56554a3b4
26cd07e1f71df3dcee9f
1eaf89725ab93968fc52
f03c0a7d653539616433
66333861303164636130
30663937353965366432
30353331373634326335
34323166636461643033
34656265373037376332
62646464343732627b41
534e490b3295c3d06c24
f2a8c7e8936667dbf7fe
ce28456a0fd24ac21ec6
a12e3efe4b
'''
from libnum import *
from Crypto.Util.number import *

x = 0x9ef773fe97f56554a3b426cd07e1f71df3dcee9f1eaf89725ab93968fc52f03c0a7d653539616433663338613031646361303066393735396536643230353331373634326335343231666364616430333465626537303737633262646464343732627b41534e490b3295c3d06c24f2a8c7e8936667dbf7fece28456a0fd24ac21ec6a12e3efe4b

print(long_to_bytes(x)[::-1])

INSA{b274dddb2c7707ebe430dadcf1245c246713502d6e9579f00acd10a83f3da95e}

【[WMCTF2020】行为艺术

知识点：png图片修复、CRC32校验、CyberChef解压zip文件

题目分析

这个题又学到了解题的新姿势

用 CyberChef解压zip文件，可以绕过伪加密

打开题目给到 png 文件，010 editor 打开执行 png 模块。提示 CRC 的值不对。

用脚本恢复图片的宽和高：

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28


import os,sys
os.chdir(sys.path[0])
import zlib
import struct
 
filename = 'attachment.png'
with open(filename, 'rb') as f:
    all_b = f.read()
    crc32key = int(all_b[29:33].hex(),16)
    data = bytearray(all_b[12:29])
    n = 4095            #理论上0xffffffff,但考虑到屏幕实际/cpu，0x0fff就差不多了
    for w in range(n):          #高和宽一起爆破
        width = bytearray(struct.pack('>i', w))     #q为8字节，i为4字节，h为2字节
        for h in range(n):
            height = bytearray(struct.pack('>i', h))
            for x in range(4):
                data[x+4] = width[x]
                data[x+8] = height[x]
            crc32result = zlib.crc32(data)
            if crc32result == crc32key:
                print("宽为：",end="")
                print(width)
                print("高为：",end="")
                print(height)
                exit(0)

# 宽为：bytearray(b'\x00\x00\x03\x80')
# 高为：bytearray(b'\x00\x00\x02\x84')

修复完得到下面的图片

可以看出图片中包含一个压缩包文件，将字符提出来得到：

504B0304140000000800DB93C55086A39007D8000000DF01000008000000666C61672E74787475504B0E823010DD93708771DDCCB0270D5BBD0371815A9148AC6951C2ED9D271F89C62E2693D7F76BB7DE9FC80D2E6E68E782A326D2E01F81CE6D55E76972E9BA7BCCB3ACEF7B89F7B6E90EA16A6EE2439D45179ECDD1C5CCFB6B9AA489C1218C92B898779D765FCCBB58CC920B6662C5F91749931132258F32BBA7C288C5AE103133106608409DAC419F77241A3412907814AB7A922106B8DED0D25AEC8A634929025C46A33FE5A1D3167A100323B1ABEE4A7A0708413A19E17718165F5D3E73D577798E36D5144B66315AAE315078F5E51A29246AF402504B01021F00140009000800DB93C55086A39007D8000000DF010000080024000000000000002000000000000000666C61672E7478740A00200000000000010018004A0A9A64243BD601F9D8AB39243BD6012D00CA13223BD601504B050600000000010001005A000000FE00000000000000

用 CyberChef解压zip文件

+++++ ++++[ ->+++ +++++ +<]>+ +++++ .<+++ [->-- -<]>- .<+++ [->-- -<]>-
.<+++ +[->+ +++<] >+.<+ ++[-> ---<] >---- -.<++ +++++ [->++ +++++ <]>++
++.-- --.<+ +++[- >---- <]>-- ----. +++++ +++.< +++[- >---< ]>-.+ ++.++
+++++ .<+++ [->-- -<]>- .+++. -.... --.++ +.<++ +[->+ ++<]> ++++. <++++
++++[ ->--- ----- <]>-- ----- ----- --.<+ +++[- >++++ <]>+. +...< +++++
+++[- >++++ ++++< ]>+++ +++++ +++.. .-.<

在线Brainfuck 解密

1

WMCTF{wai_bi_baaaa_bo!2333~~~}

Tips：用360解压也可以绕过伪加密

BUUMisc通关8

相关文章：