Hgame-week1-wp(re前俩题)
|
103
|
CTF——re
|

382 字
|
4 分钟

这是博主第一篇wp,博主还是太菜了,只解出两道题。

compress_dot_new

附件里有个txt文件,我么打开看一看,似乎是一个嵌套的JSON对象,可能代表某种树形结构的数据,以及一串二进制数据。

我们再看另一个nu文件,看不懂捏,丢给AI看看

image-20250210214028630

然后我们综合来看,这段二进制字符串可能是经过霍夫曼编码后的结果,而JSON对象则可能表示了霍夫曼编码过程中生成的编码表。我们来写一个解密程序

 import json
 ​
 //完整JSON对象
 json_str = '{"a":{"a":{"a":{"a":{"a":{"s":125},"b":{"a":{"s":119},"b":{"s":123}}},"b":{"a":{"s":104},"b":{"s":105}}},"b":{"a":{"s":101},"b":{"s":103}}},"b":{"a":{"a":{"a":{"s":10},"b":{"s":13}},"b":{"s":32}},"b":{"a":{"s":115},"b":{"s":116}}}},"b":{"a":{"a":{"a":{"a":{"a":{"s":46},"b":{"s":48}},"b":{"a":{"a":{"s":76},"b":{"s":78}},"b":{"a":{"s":83},"b":{"a":{"s":68},"b":{"s":69}}}}},"b":{"a":{"a":{"s":44},"b":{"a":{"s":33},"b":{"s":38}}},"b":{"s":45}}},"b":{"a":{"a":{"s":100},"b":{"a":{"s":98},"b":{"s":99}}},"b":{"a":{"a":{"s":49},"b":{"s":51}},"b":{"s":97}}}},"b":{"a":{"a":{"a":{"s":117},"b":{"s":118}},"b":{"a":{"a":{"s":112},"b":{"s":113}},"b":{"s":114}}},"b":{"a":{"a":{"s":108},"b":{"s":109}},"b":{"a":{"s":110},"b":{"s":111}}}}}}'
 ​
 //二进制编码字符串
 binary_str = "00010001110111111010010000011100010111000100111000110000100010111001110010011011010101111011101100110100011101101001110111110111011011001110110011110011110110111011101101011001111011001111000111001101111000011001100001011011101100011100101001110010111001111000011000101001010000000100101000100010011111110110010111010101000111101000110110001110101011010011111111001111111011010101100001101110101101111110100100111100100010110101111111111100110001010101101110010011111000110110101101111010000011110100000110110101011000111111000110101001011100000110111100000010010100010001011100011100111001011101011111000101010110101111000001100111100011100101110101111100010110101110000010100000010110001111011100011101111110101010010011101011100100011110010010110111101110111010111110110001111010101110010001011100100101110001011010100001110101000101111010100110001110101011101100011011011000011010000001011000111011111111100010101011100000"
 ​
 //将JSON字符串加载为Python字典
 tree = json.loads(json_str)
 ​
 def decode(binary_str, tree):
     result = []
     node = tree
     for bit in binary_str:
         if bit == '0':
             node = node['a']
         else: # bit == '1'
             node = node['b']
         
         if 's' in node: # Reached a leaf node
             result.append(chr(node['s']))
             node = tree # Reset to root for next character
     
     return ''.join(result)
 ​
 decoded_text = decode(binary_str, tree)
 print(decoded_text)binary_string = "00010001110111111010010000011100010111000100111000110000100010111001110010011011010101111011101100110100011101101001110111110111011011001110110011110011110110111011101101011001111011001111000111001101111000011001100001011011101100011100101001110010111001111000011000101001010000000100101000100010011111110110010111010101000111101000110110001110101011010011111111001111111011010101100001101110101101111110100100111100100010110101111111111100110001010101101110010011111000110110101101111010000011110100000110110101011000111111000110101001011100000110111100000010010100010001011100011100111001011101011111000101010110101111000001100111100011100101110101111100010110101110000010100000010110001111011100011101111110101010010011101011100100011110010010110111101110111010111110110001111010101110010001011100100101110001011010100001110101000101111010100110001110101011101100011011011000011010000001011000111011111111100010101011100000"
 //将二进制字符串分割成每8位一组
 bytes_list = [binary_string[i:i+8] for i in range(0, len(binary_string), 8)]
 //转换为ASCII字符
 decoded_string = ''.join([chr(int(byte, 2)) for byte in bytes_list])
 print(decoded_string)
image-20250210214134684

获得flag

Turtle

我们先查一下壳

image-20250210214315543

告诉我们不能脱壳,但是有壳,我们x64dbg直接手脱吧

image-20250210214700898

找到了壳入口加断点

image-20250210214848863

我们在程序开始点直接dump

我们反编译后看一下交叉引用

image-20250210214957497

image-20250210215010971

有个sub函数,跟进我们看到了题面

image-20250210215135769

我们来跟进一下这个函数

image-20250210215158086

改过的RC4,把异或符改成了减号

而这块

image-20250210215314202

是一个正常的RC4

总体逻辑就是第一段v4是第一个RC4 的密钥,解出来的是第二次RC4 的密钥,我们来写一个脚本

 def KSA(key):
     S = list(range(256))
     j = 0
     for i in range(256):
         j = (j + S[i] + key[i % len(key)]) % 256
         S[i], S[j] = S[j], S[i]
     return S
 ​
 def PRGA(S):
     i, j = 0, 0
     while True:
         i = (i + 1) % 256
         j = (j + S[i]) % 256
         S[i], S[j] = S[j], S[i]
         K = S[(S[i] + S[j]) % 256]
         yield K
 ​
 def RC4(key, text):
     S = KSA(key)
     keystream = PRGA(S)
     res = []
     for char in text:
         res.append(char ^ next(keystream))
     return bytes(res)
 ​
 key = b'yekyek'
 plaintext = [0xCD, 0x8F, 0x25, 0x3D, 0xE1, 0x51, 0x4A]
 key1 = RC4(key, plaintext)
 print("Key1:", key1)
 ​
 def RC4_add(key, text):
     S = KSA(key)
     keystream = PRGA(S)
     res = []
     for char in text:
         res.append((char + next(keystream)) % 256)
     return bytes(res)
 ​
 plaintext = [0xF8, 0xD5, 0x62, 0xCF, 0x43, 0xBA, 0xC2, 0x23, 0x15,
              0x4A, 0x51, 0x10, 0x27, 0x10, 0xB1, 0xCF, 0xC4, 9,
              0xFE, 0xE3, 0x9F, 0x49, 0x87, 0xEA, 0x59, 0xC2, 7,
              0x3B, 0xA9, 0x11, 0xC1, 0xBC, 0xFD, 0x4B, 0x57, 0xC4,
              0x7E, 0xD0, 0xAA, 0xA]
 ​
 ciphertext = RC4_add(key1, plaintext)
 print("Ciphertext:", ciphertext)
image-20250210215716966

获得flag

RE安全
暂无评论

发送评论 编辑评论 


				

			

						

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
						

					

				

				

					

						

							

								
							

							
							
													

					

				

			

			
			

				

					
				

			

				

											

							
							
						

																

							
							
						

																

							
							
						

										
					
									

			

			
			
		

	






上一篇
下一篇