April 26, 2022

DASCTF2022 X FATE-奇怪的交易

0x00 日常查壳

难得查到壳,不过upx直接-d解壳即可

image-20220426164135626

0x01 恢复python

拉进ida开逆会发现是打包成ELF的python文件,可以查询下PYI_PROCNAME

image-20220425232353888

直接拉到linux下解包,然后再用pyinstxtractor解包

1
2
objcopy --dump-section pydata=werid.dump werid
python pyinstxtractor.py werid.dump

这样直出解包文件,再把struct.pyc的头十六个字节赋到 奇怪的交易.pyc 的头十六位

image-20220425233055033

直接pycdc一把梭了,实际上我淦了一下午python…(已经麻了,算长点python汇编经验

image-20220425233221576

0x02 GetFlag

程序逻辑是,RSA加密,和通过提示不难猜出是TEA系列加密,稍加尝试得知是xxtea(然而我并没有试出来

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
#include <stdio.h>
#include <stdint.h>

#define KEYLEN 4
#define DELTA 0x9e3779b9
#define LUN 32

void Encrypt(unsigned int * v, unsigned int * k);
void Decrypt(unsigned int * v, unsigned int * k);

#define MX (((z>>5^y<<2) + (y>>3^z<<4)) ^ ((sum^y) + (key[(p&3)^e] ^ z)))

void btea(uint32_t *v, int n, uint32_t const key[4])
{
uint32_t y, z, sum;
unsigned p, rounds, e;
if (n > 1) /* Coding Part */
{
rounds = 6 + 52/n;
sum = 0;
z = v[n-1];
do
{
sum += DELTA;
e = (sum >> 2) & 3;
for (p=0; p<n-1; p++)
{
y = v[p+1];
z = v[p] += MX;
}
y = v[0];
z = v[n-1] += MX;
}
while (--rounds);
}
else if (n < -1) /* Decoding Part */
{
n = -n;
rounds = 6 + 52/n;
sum = rounds*DELTA;
y = v[0];
do
{
e = (sum >> 2) & 3;
for (p=n-1; p>0; p--)
{
z = v[p-1];
y = v[p] -= MX;
}
z = v[n-1];
y = v[0] -= MX;
sum -= DELTA;
}
while (--rounds);
}
}



int main(void)
{
uint32_t v[] = { 0xD28ED952, 1472742623, 0xD91BA938, 0xF9F3BD2D, 0x8EF8E43D, 617653972, 1474514999, 1471783658, 1012864704, 0xD7821910, 993855884, 438456717, 0xC83555B7, 0xE8DFF468, 198959101, 0xC5B84FEB, 0xD9F837C6, 613157871, 0x8EFA4EDD, 97286225, 0x8B4B608C, 1471645170, 0xC0B62792, 583597118, 0xAAB1C22D, 0xBDB9C266, 1384330715, 0xAE9F9816, 0xD1F40B3C, 0x8206DDC3, 0xC4E0BADC, 0xE407BD26, 145643141, 0x8016C6A5, 0xAF4AB9D3, 506798154, 994590281, 0x85082A0B, 0xCA0BC95A, 0xA7BE567C, 1105937096, 1789727804, 0xDFEFB591, 0x93346B38, 1162286478, 680814033, 0xAEE1A7A2, 0x80E574AE, 0xF154F55F, 2121620700, 0xFCBDA653, 0x8E902444, 0xCA742E12, 0xB8424071, 0xB4B15EC2, 0x943BFA09, 0xBC97CD93, 1285603712, 798920280, 0x8B58328F, 0xF9822360, 0xD1FD15EE, 1077514121, 1436444106, 0xA2D6C17E, 1507202797, 500756149, 198754565, 0x8E014807, 880454148, 1970517398, 0xBFC6EE25, 1161840191, 560498076, 1782600856, 0x9D93FEBE, 1285196205, 788797746, 1195724574, 0xF2174A07, 103427523, 0x952BFE83, 0xF730AC4C, 617564657, 978211984, 1781482121, 0x8379D23A, 0xEAD737EE, 0xE41555FB, 659557668, 0x99F3B244, 1561884856, 0x842C31A4, 1189296962, 169145316, 0xA5CE044C, 1323893433, 824667876, 408202876, 0xE0178482, 0xF412BBBC, 1508996065, 162419237, 0xDE740B00, 0xB7CB64FD, 0xEBCADB1F, 0x8EAE2326, 0x933C216C, 0xD7D1F649, 481927014, 0xA448AC16, 0xBC082807, 1261069441, 2063238535, 0x8474A61D, 101459755, 0xBC5654D1, 1721190841, 1078395785, 176506553, 0xD3C5280F, 1566142515, 1938949000, 1499289517, 0xC59872F8, 829714860, 0xE51502A2, 952932374, 1283577465, 2045007203, 0xEBE6A798, 0xE09575CD, 0xADDF4157, 0xC4770191, 482297421, 1734231412, 0xDAC71054, 0x99807E43, 0xA88D74B1, 0xCB77E028, 1533519803, 0xEEEBC3B6, 0xE7E680E5, 272960248, 317508587, 0xC4B10CDC, 0x91776399, 27470488, 1666674386, 1737927609, 750987808, 0x8E364D8F, 0xA0985A77, 562925334, 0x837D6DC3, 0 }, k[KEYLEN] = { 54, 54, 54, 54 };
int i, index;
int n = 155;

btea(v, -n, k);
unsigned char * p = (unsigned char *)v;
for ( i = 0, index = 0; index < n; i += 4, index++ )
printf("%c%c%c%c", p[i + 3], p[i + 2], p[i + 1], p[i]);

return 0;
}
//10610336534759505889607399322387179316771488492347274741918862678692508953185876570981227584004676580623553664818853686933004290078153620168054665086468417541382824708104480882577200529822968531743002301934310349005341104696887943182074473298650903541494918266823037984054778903666406545980557074219162536057146090758158128189406073809226361445046225524917089434897957301396534515964547462425719205819342172669899546965221084098690893672595962129879041507903210851706793788311452973769358455761907303633956322972510500253009083922781934406731633755418753858930476576720874219359466503538931371444470303193503733920039

由于e指数过大,拿到密文直接拉去RSA维纳攻击

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
import gmpy2
import libnum

def continuedFra(x, y):
cf = []
while y:
cf.append(x // y)
x, y = y, x % y
return cf
def gradualFra(cf):
numerator = 0
denominator = 1
for x in cf[::-1]:
# 这里的渐进分数分子分母要分开
numerator, denominator = denominator, x * denominator + numerator
return numerator, denominator
def solve_pq(a, b, c):
par = gmpy2.isqrt(b * b - 4 * a * c)
return (-b + par) // (2 * a), (-b - par) // (2 * a)
def getGradualFra(cf):
gf = []
for i in range(1, len(cf) + 1):
gf.append(gradualFra(cf[:i]))
return gf


def wienerAttack(e, n):
cf = continuedFra(e, n)
gf = getGradualFra(cf)
for d, k in gf:
if k == 0: continue
if (e * d - 1) % k != 0:
continue
phi = (e * d - 1) // k
p, q = solve_pq(1, n - phi + 1, n)
if p * q == n:
return d


n=12702192797044914024075774649965354105344232304099465264316470282606351700311177624703682814557100043599414982439635470829841890299241342602374578366076034128412992290094164613120745611751102797279925764448133764246126488845600641524814194290745105708735258127757986238766868988676022258542038318776640732920027324986285887310132372524224961045858183153047991881042129131551711617627844146600513830709959185824512201669420128585170924683844128155435146399996585220865423125338735154727569986267948480523307784641442521735105741341230032585576300299944879647981670048377150556292280650846158185797588466680532743801893
e=12680615221091469696163926483122992106481999501435284497098601343706982733487916553201934931961274845294041438909951977672521864927961654544622905443692482152403380984734291652023321187458458985625147422841102922314725726207365632256563373977251725785357590588556314671253970422319546403985257810950046085994573229162322957630767327089195523762665081311711474689269184996318744510300057603532953644164998953897411177604349567514705039306693117602798453972917348902600111420473965929048876821563646206875034926505783009957256212261250539005023918242209009676914632796839852778318989278092929214021282438144809708279435
c=10610336534759505889607399322387179316771488492347274741918862678692508953185876570981227584004676580623553664818853686933004290078153620168054665086468417541382824708104480882577200529822968531743002301934310349005341104696887943182074473298650903541494918266823037984054778903666406545980557074219162536057146090758158128189406073809226361445046225524917089434897957301396534515964547462425719205819342172669899546965221084098690893672595962129879041507903210851706793788311452973769358455761907303633956322972510500253009083922781934406731633755418753858930476576720874219359466503538931371444470303193503733920039
d=wienerAttack(e, n)
m=pow(c, d, n)
print(libnum.n2s(m).decode())

GetFlag!

image-20220425233447738

Pyinstaller逆向

结束了吗,没有!这玄学猜TEA有什么意思!(虽然我也没猜出来

于是看了t0hka师傅的文章发现了这篇好文章

[原创]Python逆向——Pyinstaller逆向

逆向前的思路分析

首先得大概了解下Pyinstaller这个库到底干了什么,一句话将py编译成pyc,部分压缩成pyz,程序再对pyc和pyz调用

由于这是3.10的题,所以如果我们想看到import cup里面到底发生了什么,就要先弄个3.10的环境(不然会缺失PYZ-00.pyz_extracted文件夹里的东西)

还是一样解包出这个文件(虽然报了一排错,不过我们要的东西已经拿到了,也就是PYZ-00.pyz_extracted文件夹里的东西

image-20220426182709687

关于部分压缩成pyz,通过pyinstaller库中的archieve文件夹找到pyz_crypto.py文件,这是对pyz文件的加密代码

加密方法是使用tinyAES库

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
#-----------------------------------------------------------------------------
# Copyright (c) 2005-2021, PyInstaller Development Team.
#
# Distributed under the terms of the GNU General Public License (version 2
# or later) with exception for distributing the bootloader.
#
# The full license is in the file COPYING.txt, distributed with this software.
#
# SPDX-License-Identifier: (GPL-2.0-or-later WITH Bootloader-exception)
#-----------------------------------------------------------------------------

import os

BLOCK_SIZE = 16

class PyiBlockCipher(object):
"""
This class is used only to encrypt Python modules.
"""
def __init__(self, key=None):
assert type(key) is str
if len(key) > BLOCK_SIZE:
self.key = key[0:BLOCK_SIZE]
else:
self.key = key.zfill(BLOCK_SIZE)
assert len(self.key) == BLOCK_SIZE

import tinyaes
self._aesmod = tinyaes

def encrypt(self, data):
iv = os.urandom(BLOCK_SIZE)
return iv + self.__create_cipher(iv).CTR_xcrypt_buffer(data)

def __create_cipher(self, iv):
# The 'AES' class is stateful, this factory method is used to
# re-initialize the block cipher class with each call to xcrypt().
return self._aesmod.AES(self.key.encode(), iv)

还原CUP!

现在我们通过我们解压出文件夹根目录,先找到两个关键文件,一个是密钥一个是加密方法

image-20220426183817755

我们再去PYZ-00.pyz_extracted这个文件夹找到cup.pyc.encrypted

image-20220426183912311

所以现在我们有了

  1. 加密方法
  2. 密钥
  3. 要解密的文件

引用文章中的代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
import tinyaes
import zlib

CRYPT_BLOCK_SIZE = 16

# 从crypt_key.pyc获取key,也可自行反编译获取
key = bytes('0000000000000tea', 'utf-8')

inf = open('cup.pyc.encrypted', 'rb') # 打开加密文件
outf = open('output.pyc', 'wb') # 输出文件

# 按加密块大小进行读取
iv = inf.read(CRYPT_BLOCK_SIZE)

cipher = tinyaes.AES(key, iv)

# 解密
plaintext = zlib.decompress(cipher.CTR_xcrypt_buffer(inf.read()))

# 补pyc头(最后自己补也行)
outf.write(b'\x6f\x0d\x0d\x0a\0\0\0\0\0\0\0\0\0\0\0\0')

# 写入解密数据
outf.write(plaintext)

inf.close()
outf.close()

pycdc一把梭或者在线网站都可以,标准的xxtea算法!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#!/usr/bin/env python
# visit https://tool.lu/pyc/ for more information
import libnum
from ctypes import *

def MX(z, y, total, key, p, e):
temp1 = (z.value >> 5 ^ y.value << 2) + (y.value >> 3 ^ z.value << 4)
temp2 = (total.value ^ y.value) + (key[p & 3 ^ e.value] ^ z.value)
return c_uint32(temp1 ^ temp2)


def encrypt(ᘗ, ᘖ, ᘘ):
ᘜ = 0x9E3779B9L
ᘛ = 6 + 52 // ᘗ
total = c_uint32(0)
ᘔ = c_uint32(ᘖ[ᘗ - 1])
ᘕ = c_uint32(0)
if ᘛ > 0:
total.value += ᘜ
ᘕ.value = total.value >> 2 & 3
ᘚ = c_uint32(ᘖ[0])
ᘖ[ᘗ - 1] = c_uint32(ᘖ[ᘗ - 1] + MX(ᘔ, ᘚ, total, ᘘ, ᘗ - 1, ᘕ).value).value
ᘔ.value = ᘖ[ᘗ - 1]
ᘛ -= 1
if not ᘛ > 0:
return

奇怪的交易.pyc反汇编扩展

手淦汇编扩展,emmm淦了很久汇编,看到反汇编感觉翻译错了,但单看源码应该没什么问题,也许加了什么花,对于那些奇怪的跳转其实也许是while

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
import libnum

def TEA():
print("DAS")

flag = input()
pub_key = [0x649EE967E7916A825CC9FD3320BEABF263BEAC68C080F52824A0F521EDB6B78577EC52BF1C9E78F4BB71192F9A23F1A17AA76E5979E4D953329D3CA65FB4A71DA57412B59DFD6AEDF0191C5555D3E5F582B81B5E6B23163E9889204A81AFFDF119FE25C92F4ED59BD3285BCD7AAE14824240D2E33C5A97848F4EB7AAC203DE6330D2B4D8FF61691544FBECD120F99A157B3D2F58FA51B2887A9D06CA383C44D071314A12B17928B96F03A06E959A5AFEFA0183664F52CD32B9FC72A04B45913FCB2D5D2D3A415A14F611CF1EAC2D6C785142A8E9CC41B67A6CD85001B06EDB8CA767D367E56E0AE651491BF8A8C17A38A1835DB9E4A9292B1D86D5776C98CC25, 0x647327833ACFEF1F9C83E74E171FC300FA347D4A6769476C33DA82C95120ACB38B62B33D429206FE6E9BB0BB7AB748A1036971BEA36EC47130B749C1C9FF6FE03D0F7D9FC5346EB0E575BDFA6C530AA57CD676894FC080D2DD049AB59625F4B9C78BCFD95CDCD2793E440E26E189D251121CB6EB177FEDB596409034E8B0C5BBD9BD9342235DBB226C9170EFE347FF0FD2CFF9A1F7B647CC83E4D8F005FD7125A89251C768AFE70BDD54B88116814D5030F499BCAC4673CCCC342FB4B6AC58EA5A64546DC25912B6C430529F6A7F449FD96536DE269D1A1B015A4AC6B6E46EE19DCE8143726A6503E290E4BAE6BD78319B5878981F6CFFDB3B818209341FD68B]
m = libnum.s2n(flag)

c = str(pow(m, pub_key[1], pub_key[0]))
list_input = []
list_enc = [0xD28ED952, 1472742623, 0xD91BA938, 0xF9F3BD2D, 0x8EF8E43D, 617653972, 1474514999, 1471783658, 1012864704, 0xD7821910, 993855884, 438456717, 0xC83555B7, 0xE8DFF468, 198959101, 0xC5B84FEB, 0xD9F837C6, 613157871, 0x8EFA4EDD, 97286225, 0x8B4B608C, 1471645170, 0xC0B62792, 583597118, 0xAAB1C22D, 0xBDB9C266, 1384330715, 0xAE9F9816, 0xD1F40B3C, 0x8206DDC3, 0xC4E0BADC, 0xE407BD26, 145643141, 0x8016C6A5, 0xAF4AB9D3, 506798154, 994590281, 0x85082A0B, 0xCA0BC95A, 0xA7BE567C, 1105937096, 1789727804, 0xDFEFB591, 0x93346B38, 1162286478, 680814033, 0xAEE1A7A2, 0x80E574AE, 0xF154F55F, 2121620700, 0xFCBDA653, 0x8E902444, 0xCA742E12, 0xB8424071, 0xB4B15EC2, 0x943BFA09, 0xBC97CD93, 1285603712, 798920280, 0x8B58328F, 0xF9822360, 0xD1FD15EE, 1077514121, 1436444106, 0xA2D6C17E, 1507202797, 500756149, 198754565, 0x8E014807, 880454148, 1970517398, 0xBFC6EE25, 1161840191, 560498076, 1782600856, 0x9D93FEBE, 1285196205, 788797746, 1195724574, 0xF2174A07, 103427523, 0x952BFE83, 0xF730AC4C, 617564657, 978211984, 1781482121, 0x8379D23A, 0xEAD737EE, 0xE41555FB, 659557668, 0x99F3B244, 1561884856, 0x842C31A4, 1189296962, 169145316, 0xA5CE044C, 1323893433, 824667876, 408202876, 0xE0178482, 0xF412BBBC, 1508996065, 162419237, 0xDE740B00, 0xB7CB64FD, 0xEBCADB1F, 0x8EAE2326, 0x933C216C, 0xD7D1F649, 481927014, 0xA448AC16, 0xBC082807, 1261069441, 2063238535, 0x8474A61D, 101459755, 0xBC5654D1, 1721190841, 1078395785, 176506553, 0xD3C5280F, 1566142515, 1938949000, 1499289517, 0xC59872F8, 829714860, 0xE51502A2, 952932374, 1283577465, 2045007203, 0xEBE6A798, 0xE09575CD, 0xADDF4157, 0xC4770191, 482297421, 1734231412, 0xDAC71054, 0x99807E43, 0xA88D74B1, 0xCB77E028, 1533519803, 0xEEEBC3B6, 0xE7E680E5, 272960248, 317508587, 0xC4B10CDC, 0x91776399, 27470488, 1666674386, 1737927609, 750987808, 0x8E364D8F, 0xA0985A77, 562925334, 0x837D6DC3]

i = 0
while i < len(c):
t = 0
for ii in c[i: i + 4]:
t = (t << 8) + ord(ii)
list_input.append(t)
i += 4
if not i < len(c):
list_data = [54, 54, 54, 54]
len_input = len(list_input)
res = XXTEA(list_data, list_input, len_input)
if list_input == list_enc:
print("P.Z!!")
DASCTF X SU
🍬
HFCTF2022
🍪

About this Post

This post is written by P.Z, licensed under CC BY-NC 4.0.