祥云杯2021
作者:互联网
Rev_Dizzy
ida分析
分析得出对输入的每个字节都进行了运算,然后跟特定数据比较。
2.解题思路
只要把带比较数据作为输入把运算反着运行一遍就行了,利用py脚本来使运算反向。
py脚本:
f1=open('D:\桌面\祥云\\re\\d.txt','r')#顺序 f2=open('D:\桌面\祥云\\re\\dd.txt','w')#逆序 num_row=5000 for ii in range(1): readstr=f1.readlines() print(readstr) writestr=[] for i in range(len(readstr)): writestr.append(readstr[len(readstr)-i-1]) print(writestr) f2.writelines(writestr)
最后得出flag:flag{Try_R3vers1ng_W1th_ScR!pt!}。
勒索解密
1.ida分析
通过调试得出加密流程为,sha256特殊数据,从中生成aes128的密钥。对文件进行aes128加密。
爆破时间(参考于天璇的wp)
void decrypt_test(void) { DWORD32 key[4] = { 0x0EC62FB2,0x4B54D44F,0,0x8EB1E721 }; FILE* f; int mode; fopen_s(&f,"G:\\flag.bmp.ctf_crypter", "rb"); BYTE * cipher =(BYTE*)malloc(0xd6830); memset(cipher, 0, 0xd6830); fread(cipher, sizeof(char), 0xd6830, f); for (int i = 1629097200; i < 1629553539; i++) //i=2021/08/16 15:00:00 < 当前时间 { HCRYPTPROV prov = NULL; HCRYPTHASH hash; HCRYPTKEY aesKey; DWORD length = 16; key[2] = i; BYTE head[32]; memset(head, 0, 32); memcpy(head, cipher, 16); if (!CryptAcquireContextA(&prov, NULL, MS_ENH_RSA_AES_PROV_A, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) { printf("error0\n"); } CryptCreateHash(prov, 0x800Cu, 0, 0, &hash); CryptHashData(hash, (const BYTE*)key, 0x10u, 0); CryptDeriveKey(prov, 0x660Eu, hash, 0, &aesKey); mode = 1; CryptSetKeyParam(aesKey, 4u, (const BYTE*)&mode, 0); CryptSetKeyParam(aesKey, 3u, (const BYTE*)&mode, 0); CryptDecrypt(aesKey, 0, 0, 0, head, &length); if (head[0] == 'B' && head[1] == 'M') { printf("%x", i); break; } } }
解密文件(参考于天璇的wp)
void decrypt(void) { DWORD32 key[4] = { 0x0EC62FB2,0x4B54D44F,1629098245,0x8EB1E721 }; FILE *f; int mode; fopen_s(&f, "G:\\flag.bmp.ctf_crypter", "rb"); BYTE *cipher = (BYTE*)malloc(0xd6830); int totalLength = 0xd6830; DWORD blockLen = 16; memset(cipher, 0, totalLength); fread(cipher, sizeof(char), totalLength, f); HCRYPTPROV prov = NULL; HCRYPTHASH hash; HCRYPTKEY aesKey; if (!CryptAcquireContextA(&prov, NULL, MS_ENH_RSA_AES_PROV_A, PROV_RSA_AES, CRYPT_VERIFYCONTEXT)) { printf("error0\n"); } CryptCreateHash(prov, 0x800Cu, 0, 0, &hash); CryptHashData(hash, (const BYTE*)key, 0x10u, 0); CryptDeriveKey(prov, 0x660Eu, hash, 0, &aesKey); mode = 1; CryptSetKeyParam(aesKey, 4u,(const BYTE*)&mode, 0); CryptSetKeyParam(aesKey, 3u,(const BYTE*)&mode, 0); for (int i = 0; i < totalLength; i += 16) { CryptDecrypt(aesKey, 0, 0, 0, cipher + i, &blockLen); } FILE* out; fopen_s(&out, "G:\\dec.bmp", "wb"); fwrite(cipher, 1, totalLength, out); printf("");
标签:hash,aesKey,prov,cipher,2021,BYTE,祥云,mode 来源: https://www.cnblogs.com/mio-yy/p/15181908.html