您的位置:首页 > 其它

攻防比赛点点滴滴(1)

2014-03-14 09:50 302 查看
1. Python image steganography 命令如下:

stepic --decode --image-in=stegano1.bmp --out=tips


2. 直接用perl输出1024个A,那个是字母x,前后一定要有空格

perl -e ' "A" x 1024;'


3. actf的古老密码:

oivqmqgn, yja vibem naarn yi yxbo sqnyab yjqo q zixuea is gaqbn qdi. ykra jqn zira yi baseazy yjqy qeni ko yja ujbqzw rqdqhkoa. yjkn kn vjqy yja uquab saam kn qpixy: gix nxprky q uquab, va backav ky qom ky dayn uxpeknjam. oi oaam yi vqky q rioyj ib yvi xoyke
gix naa gixb qbykzea ko yja oafy ujbqzw knnxa, vjao yja ykra jqn zira, va'ee mazkma yi zirukea q oav knnxa sbir yja qbykzean yjqy jqca paao nxprkyyam. yjqy'n pqnkzqeeg ky. qom dbqp gix seqd jaba, zbguyiiiniziieqrkbkdjy?

这是一个替换密码,到这个网站分析下http://cryptoclub.org/tools/cracksub_topframe.php,统计信息如下:



从两个字母与三个字母的频率可以猜测: Y-->t, J-->h , A-->e,填入相应的,如下图:



从上面两个框里面可以猜测Q-->a





从上面两个图可以猜测:B-->r , I-->o, 一个一个猜,很快的。



明文如下:

nowadays, the world seems to turn faster than a couple of years ago. time has come to reflect that also in the phrack magazine. this is what the paper feed is about: you submit a paper, we review it and it gets published. no need to wait a month or two until
you see your article in the next phrack issue, when the time has come, we'll decide to compile a new issue from the articles that have been submitted. that's basically it. and grab you flag here, cryptooosocoolamiright?

4. 逆向下面的加密,给了三个文件,msg01,msg01.enc,msg02.enc。先从msg01与msg01.enc中求出key,再从msg02.enc求出msg02,就可以了(关键在于&0xff这个是取后面八位,所以任何一个字母的ascii码与0xff相与后还是本身,不需要求逆)

f = open('msg01', 'rb').read()
g = open('msg01.enc', 'wb')

key = 'key‘
c = ''
t = chr(0)
i = 0

for p in f:
c = chr(( ord(p) + (ord(key[i % len(key)]) ^ ord(t)) + i**i ) & 0xff)
t = p
i += 1
g.write(c)

g.close()


求key的代码:

f=open('msg01','rb').read()
g=open('msg01.enc','rb').read()

i=0
p=f

t=chr(0)
a=""
for c in g:
a+=chr( (ord(c)-ord(p[i])-(i**i)&0xff)^ord(t)  )
t=p[i]
i+=1
print a
beyond@beyond ~/code/code-python $ python encry.py
DoNotTryToGuessWhatDoesD3AdCa7ThinkOfDoNo

后面四个字母重复,删除掉即是key

求msg02的代码:

f=open('msg01','rb').read()
g=open('msg02.enc','rb').read()

i=0
p=f
key='DoNotTryToGuessWhatDoesD3AdCa7ThinkOf'
t=chr(0)
a=""
for c in g:
t= chr( (ord(c)-((i**i)&0xff))-(ord(key[i % len(key)])^ord(t))&0xff  )
a+=t;
i+=1

print a


结果如下:

beyond@beyond ~/code/code-python $ python encry.py
High demand! No matches...
Search again for these tickets (a fan may have let them go) or change quantity/ticket type.
Get This damn fl4g plz
ACTF{why_can_not_I_buy_a_TI4_ticket_It_it_so_terrible!!!!!!!!!!}


5. 在NotSoSecure's 2nd SQLiLab CTF 中出现这样的一个加密的字符串:

H4sIAAAAAAAAAAsyTs80LTEu0ssoyc0BACMzGYUNAAAA
直接在burp suit的decode里面做:



6. python实现des加密(cbc模式)

from pyDes import *
import base64
data = "syclover"  #加密数据
Iv="JoyChou "  #初始向量
key="sysclover" #密钥,八位长度
k = des(key, CBC, Iv, pad=None, padmode=PAD_PKCS5)
# For Python3, you'll need to use bytes, i.e.:
#   data = b"Please encrypt my data"
#   k = des(b"DESCRYPT", CBC, b"\0\0\0\0\0\0\0\0", pad=None, padmode=PAD_PKCS5)

d = k.encrypt(data)
print base64.encodestring(d)
assert k.decrypt(d, padmode=PAD_PKCS5) == data


7. 成都信息工程学院的一道逆向题分析过程如下:

用ida打开,看下静态反编译的代码,大概的几个功能先弄清楚。
(1)



上面的是先来判断你的输入的文件名是不是baidushadu,如果是则进行下一步,不是则filenameerror.
(2)



上面判断第一行是不是有enterkey .注意有一个空格。
接下来就是生成key的时候,也是最关键的分析了。

在baidushadu的文件中写入enterkeyqweqweqwe
beyond@beyond-virtual-machine:~$./l1nux baidushadu

somethingwrong in your file!
在ida中找到somethingwrong
in your file! 有两个这时可以确定是第二个出现的。直接在第二个前面那个判断的段下断点



分析上面的那个代码,可以用peda这个结合gdb分析:部分分析过程如下:
gdb-peda$ break *0x4008fb
Breakpoint 1 at 0x4008fb
gdb-peda$ run
usage : /home/beyond/l1nux  filename
[Inferior 1 (process 16259) exited with code 01]
Warning: not running or target is remote
gdb-peda$ run baidushadu
warning: no loadable sections found in added symbol-file system-supplied DSO at 0x7ffff7ffa000
[----------------------------------registers-----------------------------------]
RAX: 0x9 ('\t')
RBX: 0x0
RCX: 0xfffffffffffffff4
RDX: 0x69 ('i')
RSI: 0x7fffffffdf5a --> 0x0
RDI: 0x7fffffffe05b --> 0x0
RBP: 0x7fffffffe160 --> 0x0
RSP: 0x7fffffffde10 --> 0xffffefbd22b60000
RIP: 0x4008fb (<main+631>:	lea    rax,[rbp-0x110])
R8 : 0x1
R9 : 0x0
R10: 0x22 ('"')
R11: 0x246
R12: 0x4005a0 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe240 --> 0x2
R14: 0x0
R15: 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x4008eb <main+615>:	add    DWORD PTR [rbp-0x314],0x1
0x4008f2 <main+622>:	cmp    DWORD PTR [rbp-0x314],0x9
0x4008f9 <main+629>:	jle    0x4008c7 <main+579>
=> 0x4008fb <main+631>:	lea    rax,[rbp-0x110]
0x400902 <main+638>:	mov    rdx,rax
0x400905 <main+641>:	mov    eax,0x400acd
0x40090a <main+646>:	mov    ecx,0xb
0x40090f <main+651>:	mov    rsi,rdx
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffde10 --> 0xffffefbd22b60000
0008| 0x7fffffffde18 --> 0xffffffffffffffff
0016| 0x7fffffffde20 --> 0x7fffffffe248 --> 0x7fffffffe504 ("/home/beyond/l1nux")
0024| 0x7fffffffde28 --> 0x2f7ffe620
0032| 0x7fffffffde30 --> 0x1f7dda840
0040| 0x7fffffffde38 --> 0x7fffffffe517 ("baidushadu")
0048| 0x7fffffffde40 --> 0x602010 --> 0xfbad2488
0056| 0x7fffffffde48 --> 0xaf7dda73c
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value

Breakpoint 1, 0x00000000004008fb in main ()
gdb-peda$ ni
[----------------------------------registers-----------------------------------]
RAX: 0x7fffffffe050 ("bbbbbiiiii")
RBX: 0x0
RCX: 0xfffffffffffffff4
RDX: 0x69 ('i')
RSI: 0x7fffffffdf5a --> 0x0
RDI: 0x7fffffffe05b --> 0x0
RBP: 0x7fffffffe160 --> 0x0
RSP: 0x7fffffffde10 --> 0xffffefbd22b60000
RIP: 0x400902 (<main+638>:	mov    rdx,rax)
R8 : 0x1
R9 : 0x0
R10: 0x22 ('"')
R11: 0x246
R12: 0x4005a0 (<_start>:	xor    ebp,ebp)
R13: 0x7fffffffe240 --> 0x2
R14: 0x0
R15: 0x0
EFLAGS: 0x202 (carry parity adjust zero sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
0x4008f2 <main+622>:	cmp    DWORD PTR [rbp-0x314],0x9
0x4008f9 <main+629>:	jle    0x4008c7 <main+579>
0x4008fb <main+631>:	lea    rax,[rbp-0x110]
=> 0x400902 <main+638>:	mov    rdx,rax
0x400905 <main+641>:	mov    eax,0x400acd
0x40090a <main+646>:	mov    ecx,0xb
0x40090f <main+651>:	mov    rsi,rdx
0x400912 <main+654>:	mov    rdi,rax
[------------------------------------stack-------------------------------------]
0000| 0x7fffffffde10 --> 0xffffefbd22b60000
0008| 0x7fffffffde18 --> 0xffffffffffffffff
0016| 0x7fffffffde20 --> 0x7fffffffe248 --> 0x7fffffffe504 ("/home/beyond/l1nux")
0024| 0x7fffffffde28 --> 0x2f7ffe620
0032| 0x7fffffffde30 --> 0x1f7dda840
0040| 0x7fffffffde38 --> 0x7fffffffe517 ("baidushadu")
0048| 0x7fffffffde40 --> 0x602010 --> 0xfbad2488
0056| 0x7fffffffde48 --> 0xaf7dda73c
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
0x0000000000400902 in main ()


从上面用peda这个插件的时候会显示运行到哪一条命令,会出现所有的寄存器的内容,比较像od了。
.text:00000000004008FB                 lea     rax, [rbp+var_110]
.text:0000000000400902                 mov     rdx, rax
.text:0000000000400905                 mov     eax, offset aPqllauzduh ; "pqllauzduh"
.text:000000000040090A                 mov     ecx, 0Bh
.text:000000000040090F                 mov     rsi, rdx
.text:0000000000400912                 mov     rdi, rax
.text:0000000000400915                 repe cmpsb
.text:0000000000400917                 setnbe  dl
.text:000000000040091A                 setb    al
.text:000000000040091D                 mov     ecx, edx
.text:000000000040091F                 sub     cl, al
.text:0000000000400921                 mov     eax, ecx
.text:0000000000400923                 movsx   eax, al
.text:0000000000400926                 test    eax, eax
.text:0000000000400928                 jz      short loc_40093E


经过动态的分析,可以得到是将[rbp+var_110]处的字符串与pqllauzduh比较,一开始以为这个就是key,可是输入后还是错误。
那只有向上查看这个rbp+var_110这个地址写入了什么了。
text:0000000000400887 loc_400887:                             ; CODE XREF: main+235#j
.text:0000000000400887                 mov     eax, [rbp+var_314]     #在动态分析时,这个保存了qweqweqwe
.text:000000000040088D                 cdqe
.text:000000000040088F                 movzx   eax, byte ptr [rbp+rax+var_110]    #一个一个取qweqweqwe
.text:0000000000400897                 sub     eax, 4    #将字母减4
.text:000000000040089A                 mov     edx, eax
.text:000000000040089C                 mov     eax, [rbp+var_314]
.text:00000000004008A2                 cdqe
.text:00000000004008A4                 mov     byte ptr [rbp+rax+var_110], dl
.text:00000000004008AB                 add     [rbp+var_314], 1  #记数加1
.text:00000000004008B2
.text:00000000004008B2 loc_4008B2:                             ; CODE XREF: main+201#j
.text:00000000004008B2                 cmp     [rbp+var_314], 4  #与4比较,这个是前5个生成
.text:00000000004008B9                 jle     short loc_400887
.text:00000000004008BB                 mov     [rbp+var_314], 5
.text:00000000004008C5                 jmp     short loc_4008F2
.text:00000000004008C7 ; ---------------------------------------------------------------------------
.text:00000000004008C7
.text:00000000004008C7 loc_4008C7:                             ; CODE XREF: main+275#j
.text:00000000004008C7 ; ---------------------------------------------------------------------------
.text:00000000004008C7
.text:00000000004008C7 loc_4008C7:                             ; CODE XREF: main+275#j
.text:00000000004008C7                 mov     eax, [rbp+var_314]
.text:00000000004008CD                 cdqe
.text:00000000004008CF                 movzx   eax, byte ptr [rbp+rax+var_110]
.text:00000000004008D7                 add     eax, 3   #每人字母加3
.text:00000000004008DA                 mov     edx, eax
.text:00000000004008DC                 mov     eax, [rbp+var_314]
.text:00000000004008E2                 cdqe
.text:00000000004008E4                 mov     byte ptr [rbp+rax+var_110], dl
.text:00000000004008EB                 add     [rbp+var_314], 1  #记数加1
.text:00000000004008F2
.text:00000000004008F2 loc_4008F2:                             ; CODE XREF: main+241#j
.text:00000000004008F2                 cmp     [rbp+var_314], 9 #后面5个的
.text:00000000004008F9                 jle     short loc_4008C7


经过上面的注释里面可以明白第二个string前面5个字母减4,后面5个字母加3,然后要的pqllauzduh相等,则这个就是key.用python写了个简单的生成
x=''
s='pqlla'
s1='uzduh'
for i in s:
x+=chr(ord(i)+4)
for i in s1:
x+=chr(ord(i)-3)
print x

运行如下:
beyond@beyond ~/code/code-python $ python l1nux.py
tupperware

key就是tupperware了。
内容来自用户分享和网络整理,不保证内容的准确性,如有侵权内容,可联系管理员处理 点击这里给我发消息
标签: 
相关文章推荐
新的分享
章节导航