首页 > 其他分享 >NKCTF-login_system

NKCTF-login_system

时间:2024-04-09 17:58:45浏览次数:18  
标签:username plaintext self 0x00 system a1 range login NKCTF

无壳程序,所以我们直接进行反编译
正常的加密,username 是直接通过z3可以直接算出来的,我们看看源码

_BOOL8 __fastcall sub_1229(char *a1)
{
  return a1[2] + a1[1] + *a1 + a1[3] == 447
      && 101 * a1[2] + *a1 + 9 * a1[1] + 8 * a1[3] == 12265
      && 5 * a1[2] + 3 * *a1 + 4 * a1[1] + 6 * a1[3] == 2000
      && 88 * a1[2] + 12 * *a1 + 11 * a1[1] + 87 * a1[3] == 21475
      && a1[6] + 59 * a1[5] + 100 * a1[4] + a1[7] == 7896
      && 443 * a1[4] + 200 * a1[5] + 10 * a1[6] + 16 * a1[7] == 33774
      && 556 * a1[5] + 333 * a1[4] + 8 * a1[6] + 7 * a1[7] == 44758
      && a1[6] + a1[5] + 202 * a1[4] + a1[7] == 9950
      && 78 * a1[10] + 35 * a1[9] + 23 * a1[8] + 89 * a1[11] == 24052
      && 78 * a1[8] + 59 * a1[9] + 15 * a1[10] + 91 * a1[11] == 25209
      && 111 * a1[10] + 654 * a1[9] + 123 * a1[8] + 222 * a1[11] == 113427
      && 6 * a1[9] + 72 * a1[8] + 5 * a1[10] + 444 * a1[11] == 54166
      && 56 * a1[14] + 35 * a1[12] + 6 * a1[13] + 121 * a1[15] == 11130
      && 169 * a1[14] + 158 * a1[13] + 98 * a1[12] + 124 * a1[15] == 27382
      && 147 * a1[13] + 65 * a1[12] + 131 * a1[14] + 129 * a1[15] == 23564
      && 137 * a1[14] + 132 * a1[13] + 620 * a1[12] + 135 * a1[15] == 51206;
}```
这里来复习一下z3格式
```#!/usr/bin/python3
#-*- coding=utf-8 -*-
from z3 import *
a,b = Ints('a b')
solver = Solver()#创建一个求解器对象
solver.add(a+b==10)#用add方法添加约束条件
solver.add(a-b==6)
if solver.check() == sat: #check()方法用来判断是否有解,sat(satisify)表示满足有解
    ans = solver.model() #model()方法得到解
    print(ans)
    #也可以用变量名作为下标得到解
    print(ans[a])
else:
    print("no ans!")

得到username:


# 创建16个整数变量
username = [Int('user%d' % i) for i in range(16)]

# 创建一个求解器
s = Solver()

# 添加约束条件
for i in username:
    s.add(i > 0)
    s.add(i < 128)

s.add(username[2] + username[1] + username[0] + username[3] == 447)
s.add(101 * username[2] + username[0] + 9 * username[1] + 8 * username[3] == 12265)
s.add(5 * username[2] + 3 * username[0] + 4 * username[1] + 6 * username[3] == 2000)
s.add(88 * username[2] + 12 * username[0] + 11 * username[1] + 87 * username[3] == 21475)
s.add(username[6] + 59 * username[5] + 100 * username[4] + username[7] == 7896)
s.add(443 * username[4] + 200 * username[5] + 10 * username[6] + 16 * username[7] == 33774)
s.add(556 * username[5] + 333 * username[4] + 8 * username[6] + 7 * username[7] == 44758)
s.add(username[6] + username[5] + 202 * username[4] + username[7] == 9950)
s.add(78 * username[10] + 35 * username[9] + 23 * username[8] + 89 * username[11] == 24052)
s.add(78 * username[8] + 59 * username[9] + 15 * username[10] + 91 * username[11] == 25209)
s.add(111 * username[10] + 654 * username[9] + 123 * username[8] + 222 * username[11] == 113427)
s.add(6 * username[9] + 72 * username[8] + 5 * username[10] + 444 * username[11] == 54166)
s.add(56 * username[14] + 35 * username[12] + 6 * username[13] + 121 * username[15] == 11130)
s.add(169 * username[14] + 158 * username[13] + 98 * username[12] + 124 * username[15] == 27382)
s.add(147 * username[13] + 65 * username[12] + 131 * username[14] + 129 * username[15] == 23564)
s.add(137 * username[14] + 132 * username[13] + 620 * username[12] + 135 * username[15] == 51206)

# 检查是否有解
assert s.check() == sat

# 获取模型
result = s.model()

# 提取变量值并转换为字节     这里注意一下,z3操作出来的结果其实是类列表的数据,bytes 函数期望接收一个整数序列来构造字节串,其次通过将每个符号表达式转换为长整型,我们确保了传递给bytes的是它期望的整数序列。
flag = bytes([result[i].as_long() for i in username])

# 打印结果
print(flag)
#'user01_nkctf2024'

其次是我们的passwd:分为了两段

第一段:简单的异或操作
for ( i = 0; i <= 8; ++i ) s2[i] = (i ^ passwd_9[i]) - i + 9;
逆回去的结果是:‘uSer1p4ss’ 这里是passwd的前九个字节

之后就是一个明显的AES加密算法了,但是当我们去查看aes中的s_box时,我们会发现的是这里修改了s_box

所以我们将s_box修改,解密结果:

    sbox = [
  0x31, 0x52, 0x5A, 0xC8, 0x0B, 0xAC, 0xF3, 0x3A, 0x8B, 0x54,
  0x27, 0x9B, 0xAB, 0x95, 0xDE, 0x83, 0x60, 0xCB, 0x53, 0x7F,
  0xC4, 0xE3, 0x0A, 0x97, 0xE0, 0x29, 0xD5, 0x68, 0xC5, 0xDF,
  0xF4, 0x7B, 0xAA, 0xD6, 0x42, 0x78, 0x6C, 0xE9, 0x70, 0x17,
  0xD7, 0x37, 0x24, 0x49, 0x75, 0xA9, 0x89, 0x67, 0x03, 0xFA,
  0xD9, 0x91, 0xB4, 0x5B, 0xC2, 0x4E, 0x92, 0xFC, 0x46, 0xB1,
  0x73, 0x08, 0xC7, 0x74, 0x09, 0xAF, 0xEC, 0xF5, 0x4D, 0x2D,
  0xEA, 0xA5, 0xDA, 0xEF, 0xA6, 0x2B, 0x7E, 0x0C, 0x8F, 0xB0,
  0x04, 0x06, 0x62, 0x84, 0x15, 0x8E, 0x12, 0x1D, 0x44, 0xC0,
  0xE2, 0x38, 0xD4, 0x47, 0x28, 0x45, 0x6E, 0x9D, 0x63, 0xCF,
  0xE6, 0x8C, 0x18, 0x82, 0x1B, 0x2C, 0xEE, 0x87, 0x94, 0x10,
  0xC1, 0x20, 0x07, 0x4A, 0xA4, 0xEB, 0x77, 0xBC, 0xD3, 0xE1,
  0x66, 0x2A, 0x6B, 0xE7, 0x79, 0xCC, 0x86, 0x16, 0xD0, 0xD1,
  0x19, 0x55, 0x3C, 0x9F, 0xFB, 0x30, 0x98, 0xBD, 0xB8, 0xF1,
  0x9E, 0x61, 0xCD, 0x90, 0xCE, 0x7C, 0x8D, 0x57, 0xAE, 0x6A,
  0xB3, 0x3D, 0x76, 0xA7, 0x71, 0x88, 0xA2, 0xBA, 0x4F, 0x3E,
  0x40, 0x64, 0x0F, 0x48, 0x21, 0x35, 0x36, 0x2F, 0xE8, 0x14,
  0x5D, 0x51, 0xD8, 0xB5, 0xFE, 0xD2, 0x96, 0x93, 0xA1, 0xB6,
  0x43, 0x0D, 0x4C, 0x80, 0xC9, 0xFF, 0xA3, 0xDD, 0x72, 0x05,
  0x59, 0xBF, 0x0E, 0x26, 0x34, 0x1F, 0x13, 0xE5, 0xDC, 0xF2,
  0xC6, 0x50, 0x1E, 0xE4, 0x85, 0xB7, 0x39, 0x8A, 0xCA, 0xED,
  0x9C, 0xBB, 0x56, 0x23, 0x1A, 0xF0, 0x32, 0x58, 0xB2, 0x65,
  0x33, 0x6F, 0x41, 0xBE, 0x3F, 0x6D, 0x11, 0x00, 0xAD, 0x5F,
  0xC3, 0x81, 0x25, 0xA8, 0xA0, 0x9A, 0xF6, 0xF7, 0x5E, 0x99,
  0x22, 0x2E, 0x4B, 0xF9, 0x3B, 0x02, 0x7A, 0xB9, 0x5C, 0x69,
  0xF8, 0x1C, 0xDB, 0x01, 0x7D, 0xFD]
    s_box = {}
    ns_box = {   }

    Rcon = {     #密钥拓展中的进行异或的轮常量
        1: ['0x01', '0x00', '0x00', '0x00'],
        2: ['0x02', '0x00', '0x00', '0x00'],
        3: ['0x04', '0x00', '0x00', '0x00'],
        4: ['0x08', '0x00', '0x00', '0x00'],
        5: ['0x10', '0x00', '0x00', '0x00'],
        6: ['0x20', '0x00', '0x00', '0x00'],
        7: ['0x40', '0x00', '0x00', '0x00'],
        8: ['0x80', '0x00', '0x00', '0x00'],
        9: ['0x1B', '0x00', '0x00', '0x00'],
        10: ['0x36', '0x00', '0x00', '0x00']
    }
    Matrix = [   #列混合中左乘的常量矩阵
        ['0x02', '0x03', '0x01', '0x01'],
        ['0x01', '0x02', '0x03', '0x01'],
        ['0x01', '0x01', '0x02', '0x03'],
        ['0x03', '0x01', '0x01', '0x02']
    ]
    ReMatrix = [ #列混合中的逆左乘常量矩阵
        ['0x0e', '0x0b', '0x0d', '0x09'],
        ['0x09', '0x0e', '0x0b', '0x0d'],
        ['0x0d', '0x09', '0x0e', '0x0b'],
        ['0x0b', '0x0d', '0x09', '0x0e']
    ]
    plaintext = [[], [], [], []]
    plaintext1 = [[], [], [], []]
    subkey = [[], [], [], []]
    def __init__(self, key):#密钥扩展  下面键值转换
        self.s_box = dict(zip(["0x%02x"%i for i in range(256)], ["0x%02x"%i for i in self.sbox]))
        #创建以字典的形式的s_box{'0x00': '0x31', '0x01': '0x52', '0x02': '0x5a', '0x03': '0xc8', '0x04': '0x0b', '0x05': '0xac', '0x06': '0xf3', '0x07': '0x3a', '0x08': '0x8b', '0x09': '0x54', '0x0a': '0x27', '0x0b': '0x9b', '0x0c': '0xab', '0x0d': '0x95', '0x0e': '0xde', '0x0f': '0x83', '0x10': '0x60', '0x11': '0xcb', '0x12': '0x53', '0x13': '0x7f', '0x14': '0xc4', '0x15': '0xe3', '0x16': '0x0a', '0x17': '0x97', '0x18': '0xe0', '0x19': '0x29', '0x1a': '0xd5', '0x1b': '0x68', '0x1c': '0xc5', '0x1d': '0xdf', '0x1e': '0xf4', '0x1f': '0x7b', '0x20': '0xaa', '0x21': '0xd6', '0x22': '0x42', '0x23': '0x78', '0x24': '0x6c', '0x25': '0xe9', '0x26': '0x70', '0x27': '0x17', '0x28': '0xd7', '0x29': '0x37', '0x2a': '0x24', '0x2b': '0x49', '0x2c': '0x75', '0x2d': '0xa9', '0x2e': '0x89', '0x2f': '0x67', '0x30': '0x03', '0x31': '0xfa', '0x32': '0xd9', '0x33': '0x91', '0x34': '0xb4', '0x35': '0x5b', '0x36': '0xc2', '0x37': '0x4e', '0x38': '0x92', '0x39': '0xfc', '0x3a': '0x46', '0x3b': '0xb1', '0x3c': '0x73', '0x3d': '0x08', '0x3e': '0xc7', '0x3f': '0x74', '0x40': '0x09', '0x41': '0xaf', '0x42': '0xec', '0x43': '0xf5', '0x44': '0x4d', '0x45': '0x2d', '0x46': '0xea', '0x47': '0xa5', '0x48': '0xda', '0x49': '0xef', '0x4a': '0xa6', '0x4b': '0x2b', '0x4c': '0x7e', '0x4d': '0x0c', '0x4e': '0x8f', '0x4f': '0xb0', '0x50': '0x04', '0x51': '0x06', '0x52': '0x62', '0x53': '0x84', '0x54': '0x15', '0x55': '0x8e', '0x56': '0x12', '0x57': '0x1d', '0x58': '0x44', '0x59': '0xc0', '0x5a': '0xe2', '0x5b': '0x38', '0x5c': '0xd4', '0x5d': '0x47', '0x5e': '0x28', '0x5f': '0x45', '0x60': '0x6e', '0x61': '0x9d', '0x62': '0x63', '0x63': '0xcf', '0x64': '0xe6', '0x65': '0x8c', '0x66': '0x18', '0x67': '0x82', '0x68': '0x1b', '0x69': '0x2c', '0x6a': '0xee', '0x6b': '0x87', '0x6c': '0x94', '0x6d': '0x10', '0x6e': '0xc1', '0x6f': '0x20', '0x70': '0x07', '0x71': '0x4a', '0x72': '0xa4', '0x73': '0xeb', '0x74': '0x77', '0x75': '0xbc', '0x76': '0xd3', '0x77': '0xe1', '0x78': '0x66', '0x79': '0x2a', '0x7a': '0x6b', '0x7b': '0xe7', '0x7c': '0x79', '0x7d': '0xcc', '0x7e': '0x86', '0x7f': '0x16', '0x80': '0xd0', '0x81': '0xd1', '0x82': '0x19', '0x83': '0x55', '0x84': '0x3c', '0x85': '0x9f', '0x86': '0xfb', '0x87': '0x30', '0x88': '0x98', '0x89': '0xbd', '0x8a': '0xb8', '0x8b': '0xf1', '0x8c': '0x9e', '0x8d': '0x61', '0x8e': '0xcd', '0x8f': '0x90', '0x90': '0xce', '0x91': '0x7c', '0x92': '0x8d', '0x93': '0x57', '0x94': '0xae', '0x95': '0x6a', '0x96': '0xb3', '0x97': '0x3d', '0x98': '0x76', '0x99': '0xa7', '0x9a': '0x71', '0x9b': '0x88', '0x9c': '0xa2', '0x9d': '0xba', '0x9e': '0x4f', '0x9f': '0x3e', '0xa0': '0x40', '0xa1': '0x64', '0xa2': '0x0f', '0xa3': '0x48', '0xa4': '0x21', '0xa5': '0x35', '0xa6': '0x36', '0xa7': '0x2f', '0xa8': '0xe8', '0xa9': '0x14', '0xaa': '0x5d', '0xab': '0x51', '0xac': '0xd8', '0xad': '0xb5', '0xae': '0xfe', '0xaf': '0xd2', '0xb0': '0x96', '0xb1': '0x93', '0xb2': '0xa1', '0xb3': '0xb6', '0xb4': '0x43', '0xb5': '0x0d', '0xb6': '0x4c', '0xb7': '0x80', '0xb8': '0xc9', '0xb9': '0xff', '0xba': '0xa3', '0xbb': '0xdd', '0xbc': '0x72', '0xbd': '0x05', '0xbe': '0x59', '0xbf': '0xbf', '0xc0': '0x0e', '0xc1': '0x26', '0xc2': '0x34', '0xc3': '0x1f', '0xc4': '0x13', '0xc5': '0xe5', '0xc6': '0xdc', '0xc7': '0xf2', '0xc8': '0xc6', '0xc9': '0x50', '0xca': '0x1e', '0xcb': '0xe4', '0xcc': '0x85', '0xcd': '0xb7', '0xce': '0x39', '0xcf': '0x8a', '0xd0': '0xca', '0xd1': '0xed', '0xd2': '0x9c', '0xd3': '0xbb', '0xd4': '0x56', '0xd5': '0x23', '0xd6': '0x1a', '0xd7': '0xf0', '0xd8': '0x32', '0xd9': '0x58', '0xda': '0xb2', '0xdb': '0x65', '0xdc': '0x33', '0xdd': '0x6f', '0xde': '0x41', '0xdf': '0xbe', '0xe0': '0x3f', '0xe1': '0x6d', '0xe2': '0x11', '0xe3': '0x00', '0xe4': '0xad', '0xe5': '0x5f', '0xe6': '0xc3', '0xe7': '0x81', '0xe8': '0x25', '0xe9': '0xa8', '0xea': '0xa0', '0xeb': '0x9a', '0xec': '0xf6', '0xed': '0xf7', '0xee': '0x5e', '0xef': '0x99', '0xf0': '0x22', '0xf1': '0x2e', '0xf2': '0x4b', '0xf3': '0xf9', '0xf4': '0x3b', '0xf5': '0x02', '0xf6': '0x7a', '0xf7': '0xb9', '0xf8': '0x5c', '0xf9': '0x69', '0xfa': '0xf8', '0xfb': '0x1c', '0xfc': '0xdb', '0xfd': '0x01', '0xfe': '0x7d', '0xff': '0xfd'}
        self.ns_box = dict(zip(self.s_box.values(), self.s_box.keys()))
        # 创建以字典的形式的逆s_box{'0x31': '0x00', '0x52': '0x01', '0x5a': '0x02', '0xc8': '0x03', '0x0b': '0x04', '0xac': '0x05', '0xf3': '0x06', '0x3a': '0x07', '0x8b': '0x08', '0x54': '0x09', '0x27': '0x0a', '0x9b': '0x0b', '0xab': '0x0c', '0x95': '0x0d', '0xde': '0x0e', '0x83': '0x0f', '0x60': '0x10', '0xcb': '0x11', '0x53': '0x12', '0x7f': '0x13', '0xc4': '0x14', '0xe3': '0x15', '0x0a': '0x16', '0x97': '0x17', '0xe0': '0x18', '0x29': '0x19', '0xd5': '0x1a', '0x68': '0x1b', '0xc5': '0x1c', '0xdf': '0x1d', '0xf4': '0x1e', '0x7b': '0x1f', '0xaa': '0x20', '0xd6': '0x21', '0x42': '0x22', '0x78': '0x23', '0x6c': '0x24', '0xe9': '0x25', '0x70': '0x26', '0x17': '0x27', '0xd7': '0x28', '0x37': '0x29', '0x24': '0x2a', '0x49': '0x2b', '0x75': '0x2c', '0xa9': '0x2d', '0x89': '0x2e', '0x67': '0x2f', '0x03': '0x30', '0xfa': '0x31', '0xd9': '0x32', '0x91': '0x33', '0xb4': '0x34', '0x5b': '0x35', '0xc2': '0x36', '0x4e': '0x37', '0x92': '0x38', '0xfc': '0x39', '0x46': '0x3a', '0xb1': '0x3b', '0x73': '0x3c', '0x08': '0x3d', '0xc7': '0x3e', '0x74': '0x3f', '0x09': '0x40', '0xaf': '0x41', '0xec': '0x42', '0xf5': '0x43', '0x4d': '0x44', '0x2d': '0x45', '0xea': '0x46', '0xa5': '0x47', '0xda': '0x48', '0xef': '0x49', '0xa6': '0x4a', '0x2b': '0x4b', '0x7e': '0x4c', '0x0c': '0x4d', '0x8f': '0x4e', '0xb0': '0x4f', '0x04': '0x50', '0x06': '0x51', '0x62': '0x52', '0x84': '0x53', '0x15': '0x54', '0x8e': '0x55', '0x12': '0x56', '0x1d': '0x57', '0x44': '0x58', '0xc0': '0x59', '0xe2': '0x5a', '0x38': '0x5b', '0xd4': '0x5c', '0x47': '0x5d', '0x28': '0x5e', '0x45': '0x5f', '0x6e': '0x60', '0x9d': '0x61', '0x63': '0x62', '0xcf': '0x63', '0xe6': '0x64', '0x8c': '0x65', '0x18': '0x66', '0x82': '0x67', '0x1b': '0x68', '0x2c': '0x69', '0xee': '0x6a', '0x87': '0x6b', '0x94': '0x6c', '0x10': '0x6d', '0xc1': '0x6e', '0x20': '0x6f', '0x07': '0x70', '0x4a': '0x71', '0xa4': '0x72', '0xeb': '0x73', '0x77': '0x74', '0xbc': '0x75', '0xd3': '0x76', '0xe1': '0x77', '0x66': '0x78', '0x2a': '0x79', '0x6b': '0x7a', '0xe7': '0x7b', '0x79': '0x7c', '0xcc': '0x7d', '0x86': '0x7e', '0x16': '0x7f', '0xd0': '0x80', '0xd1': '0x81', '0x19': '0x82', '0x55': '0x83', '0x3c': '0x84', '0x9f': '0x85', '0xfb': '0x86', '0x30': '0x87', '0x98': '0x88', '0xbd': '0x89', '0xb8': '0x8a', '0xf1': '0x8b', '0x9e': '0x8c', '0x61': '0x8d', '0xcd': '0x8e', '0x90': '0x8f', '0xce': '0x90', '0x7c': '0x91', '0x8d': '0x92', '0x57': '0x93', '0xae': '0x94', '0x6a': '0x95', '0xb3': '0x96', '0x3d': '0x97', '0x76': '0x98', '0xa7': '0x99', '0x71': '0x9a', '0x88': '0x9b', '0xa2': '0x9c', '0xba': '0x9d', '0x4f': '0x9e', '0x3e': '0x9f', '0x40': '0xa0', '0x64': '0xa1', '0x0f': '0xa2', '0x48': '0xa3', '0x21': '0xa4', '0x35': '0xa5', '0x36': '0xa6', '0x2f': '0xa7', '0xe8': '0xa8', '0x14': '0xa9', '0x5d': '0xaa', '0x51': '0xab', '0xd8': '0xac', '0xb5': '0xad', '0xfe': '0xae', '0xd2': '0xaf', '0x96': '0xb0', '0x93': '0xb1', '0xa1': '0xb2', '0xb6': '0xb3', '0x43': '0xb4', '0x0d': '0xb5', '0x4c': '0xb6', '0x80': '0xb7', '0xc9': '0xb8', '0xff': '0xb9', '0xa3': '0xba', '0xdd': '0xbb', '0x72': '0xbc', '0x05': '0xbd', '0x59': '0xbe', '0xbf': '0xbf', '0x0e': '0xc0', '0x26': '0xc1', '0x34': '0xc2', '0x1f': '0xc3', '0x13': '0xc4', '0xe5': '0xc5', '0xdc': '0xc6', '0xf2': '0xc7', '0xc6': '0xc8', '0x50': '0xc9', '0x1e': '0xca', '0xe4': '0xcb', '0x85': '0xcc', '0xb7': '0xcd', '0x39': '0xce', '0x8a': '0xcf', '0xca': '0xd0', '0xed': '0xd1', '0x9c': '0xd2', '0xbb': '0xd3', '0x56': '0xd4', '0x23': '0xd5', '0x1a': '0xd6', '0xf0': '0xd7', '0x32': '0xd8', '0x58': '0xd9', '0xb2': '0xda', '0x65': '0xdb', '0x33': '0xdc', '0x6f': '0xdd', '0x41': '0xde', '0xbe': '0xdf', '0x3f': '0xe0', '0x6d': '0xe1', '0x11': '0xe2', '0x00': '0xe3', '0xad': '0xe4', '0x5f': '0xe5', '0xc3': '0xe6', '0x81': '0xe7', '0x25': '0xe8', '0xa8': '0xe9', '0xa0': '0xea', '0x9a': '0xeb', '0xf6': '0xec', '0xf7': '0xed', '0x5e': '0xee', '0x99': '0xef', '0x22': '0xf0', '0x2e': '0xf1', '0x4b': '0xf2', '0xf9': '0xf3', '0x3b': '0xf4', '0x02': '0xf5', '0x7a': '0xf6', '0xb9': '0xf7', '0x5c': '0xf8', '0x69': '0xf9', '0xf8': '0xfa', '0x1c': '0xfb', '0xdb': '0xfc', '0x01': '0xfd', '0x7d': '0xfe', '0xfd': '0xff'}
        for i in range(4):#subkey填充前四个w密钥16字节
            for j in range(0, 8, 2):
                self.subkey[i].append("0x" + key[(i * 8 + j) : (i * 8 + j + 2)])
        # print(self.subkey)
        for i in range(4, 44):
            if i % 4 != 0: #不是四的字节进行异或
                tmp = xor_32(self.subkey[i - 1], self.subkey[i - 4],0) #结果就是一个w
                self.subkey.append(tmp)
            else:  # 4的倍数的时候执行
                tmp1 = self.subkey[i - 1][1:]#放入w[i-1]
                tmp1.append(self.subkey[i - 1][0])  #左移
                for m in range(4):
                    tmp1[m] = self.s_box[tmp1[m]]#字节代换
                # tmp1 = self.s_box['cf']
                tmp1 = xor_32(tmp1, self.Rcon[int(i / 4)], 0) #通过轮数进行的轮常量异或
                self.subkey.append(xor_32(tmp1, self.subkey[i - 4],0))
    def AddRoundKey(self, round):#轮密钥加
        for i in range(4):
            self.plaintext[i] = xor_32(self.plaintext[i], self.subkey[round * 4 + i],0) #进行32位的异或运算
        #print('AddRoundKey',self.plaintext)
    def PlainSubBytes(self):#字节代换
        for i in range(4):
            for j in range(4):
                self.plaintext[i][j] = self.s_box[self.plaintext[i][j]]
        # print('PlainSubBytes',self.plaintext)

    def RePlainSubBytes(self):#逆字节代换
        for i in range(4):
            for j in range(4):
                self.plaintext[i][j] = self.ns_box[self.plaintext[i][j]]

    def ShiftRows(self):#行移位
        p1, p2, p3, p4 = self.plaintext[0][1], self.plaintext[1][1], self.plaintext[2][1], self.plaintext[3][1]
        self.plaintext[0][1] = p2
        self.plaintext[1][1] = p3
        self.plaintext[2][1] = p4
        self.plaintext[3][1] = p1
        p1, p2, p3, p4 = self.plaintext[0][2], self.plaintext[1][2], self.plaintext[2][2], self.plaintext[3][2]
        self.plaintext[0][2] = p3
        self.plaintext[1][2] = p4
        self.plaintext[2][2] = p1
        self.plaintext[3][2] = p2
        p1, p2, p3, p4 = self.plaintext[0][3], self.plaintext[1][3], self.plaintext[2][3], self.plaintext[3][3]
        self.plaintext[0][3] = p4
        self.plaintext[1][3] = p1
        self.plaintext[2][3] = p2
        self.plaintext[3][3] = p3
        # print('ShiftRows',self.plaintext)

    def ReShiftRows(self):#右移
        p1, p2, p3, p4 = self.plaintext[0][1], self.plaintext[1][1], self.plaintext[2][1], self.plaintext[3][1]
        self.plaintext[3][1] = p3
        self.plaintext[2][1] = p2
        self.plaintext[0][1] = p4
        self.plaintext[1][1] = p1
        p1, p2, p3, p4 = self.plaintext[0][2], self.plaintext[1][2], self.plaintext[2][2], self.plaintext[3][2]
        self.plaintext[0][2] = p3
        self.plaintext[1][2] = p4
        self.plaintext[2][2] = p1
        self.plaintext[3][2] = p2
        p1, p2, p3, p4 = self.plaintext[0][3], self.plaintext[1][3], self.plaintext[2][3], self.plaintext[3][3]
        self.plaintext[0][3] = p2
        self.plaintext[1][3] = p3
        self.plaintext[2][3] = p4
        self.plaintext[3][3] = p1

    def MixColumns(self):#列混淆
        for i in range(4):
            for j in range(4):
                self.plaintext1[i].append(MatrixMulti(self.Matrix[j], self.plaintext[i]))
        # print('MixColumns',self.plaintext1)

    def ReMixColumns(self):
        for i in range(4):
            for j in range(4):
                self.plaintext1[i].append(MatrixMulti(self.ReMatrix[j], self.plaintext[i]))

    def AESEncryption(self, plaintext):
        self.plaintext = [[], [], [], []]
        for i in range(4):
            for j in range(0, 8, 2):
                self.plaintext[i].append("0x" + plaintext[i * 8 + j:i * 8 + j + 2])
        self.AddRoundKey(0)
        for i in range(9):
            self.PlainSubBytes()
            self.ShiftRows()
            self.MixColumns()
            self.plaintext = self.plaintext1
            self.plaintext1 = [[], [], [], []]
            self.AddRoundKey(i + 1)

        self.PlainSubBytes()
        self.ShiftRows()
        self.AddRoundKey(10)
        return Matrixtostr(self.plaintext)

    def AESDecryption(self, cipher):
        self.plaintext = [[], [], [], []]
        for i in range(4):
            for j in range(0, 8, 2):
                self.plaintext[i].append('0x' + cipher[i * 8 + j:i * 8 + j + 2])

        # print(self.ns_box)
        self.AddRoundKey(10)
        for i in range(9):
            self.ReShiftRows()
            self.RePlainSubBytes()
            self.AddRoundKey(9-i)
            self.ReMixColumns()
            self.plaintext = self.plaintext1
            self.plaintext1 = [[], [], [], []]
        self.ReShiftRows()
        self.RePlainSubBytes()
        self.AddRoundKey(0)
        return Matrixtostr(self.plaintext)

    def Encryption(self, text):
        group = PlaintextGroup(TextToByte(text), 32, 1)
        # print(group)
        cipher = ""
        for i in range(len(group)):
            cipher = cipher + self.AESEncryption(group[i])
        return cipher

    def Decryption(self, cipher):
        group = PlaintextGroup(cipher, 32, 0)
        # print(group)
        text = ''
        for i in range(len(group)):
            text = text + self.AESDecryption(group[i])
        text = ByteToText(text)
        return text


def xor_32(start, end, key):
    a = []
    for i in range(0, 4):
        xor_tmp = ""
        b = hextobin(start[i])
        c = hextobin(end[i])
        d = bin(key)[2:].rjust(8,'0')
        for j in range(8):
            tmp = int(b[j], 10) ^ int(c[j], 10) ^ int(d[j],10)
            xor_tmp += str(tmp)
        a.append(bintohex(xor_tmp))
    return a


def xor_8(begin, end):
    xor_8_tmp = ""
    for i in range(8):
        xor_8_tmp += str(int(begin[i]) ^ int(end[i]))
    return xor_8_tmp


def hextobin(word):
    word = bin(int(word, 16))[2:]#整数转二进制
    for i in range(0, 8-len(word)):
        word = '0'+word
    return word

def bintohex(word):
    word = hex(int(word, 2))
    if len(word) == 4:
        return word
    elif len(word) < 4:
        return word.replace('x', 'x0')


def MatrixMulti(s1, s2):#s1是常量矩阵
    result = []
    s3 = []
    for i in range(4):
        s3.append(hextobin(s2[i]))
    for i in range(4):             #常量矩阵数,和 乘数
        result.append(MultiProcess(int(s1[i], 16), s3[i]))
    for i in range(3):
        result[0] = xor_8(result[0], result[i+1])
    return bintohex(result[0])


def MultiProcess(a, b):#左乘过程
    if a == 1:  #乘数为1
        return b
    elif a == 2:
        if b[0] == '0':
            b = b[1:] + '0'#去掉最高位
        else:
            b = b[1:] + '0'
            b = xor_8(b, '00011011')
        return b
    elif a == 3:
        tmp_b = b
        if b[0] == '0':
            b = b[1:] + '0'
        else:
            b = b[1:] + '0'
            b = xor_8(b, '00011011')
        return xor_8(b, tmp_b)  #原数字异或左移移位之后的值

    elif a == 9:
        tmp_b = b
        return xor_8(tmp_b, MultiProcess(2, MultiProcess(2, MultiProcess(2, b))))#递归
    elif a == 11:
        tmp_b = b
        return xor_8(tmp_b, xor_8(MultiProcess(2, MultiProcess(2, MultiProcess(2, b))), MultiProcess(2, b)))
    elif a == 13:
        tmp_b = b
        return xor_8(tmp_b, xor_8(MultiProcess(2, MultiProcess(2, MultiProcess(2, b))), MultiProcess(2, MultiProcess(2, b))))
    elif a == 14:
        return xor_8(MultiProcess(2, b), xor_8(MultiProcess(2, MultiProcess(2, MultiProcess(2, b))), MultiProcess(2, MultiProcess(2, b))))


def Matrixtostr(matrix):
    result = ""
    for i in range(4):
        for j in range(4):
            result += matrix[i][j][2:]
    return result


def PlaintextGroup(plaintext, length, flag):
    group = re.findall('.{'+str(length)+'}', plaintext)
    group.append(plaintext[len(group)*length:])
    if group[-1] == '' and flag:
        group[-1] = '16161616161616161616161616161616'
    elif len(group[-1]) < length and flag:
        tmp = int((length-len(group[-1])) / 2)
        if tmp < 10:
            for i in range(tmp):
                group[-1] = group[-1] + '0'+str(tmp)
        else:
            for i in range(tmp):
                group[-1] = group[-1] + str(tmp)
    elif not flag:
        del group[-1]
    return group

#字符串转16进制
def TextToByte(words):
    text = words.encode('utf-8').hex()
    return text


def ByteToText(encode):
    tmp = int(encode[-2:])
    word = ''
    for i in range(len(encode)-tmp*2):
        word = word + encode[i]
    # print(word)
    word = bytes.decode(binascii.a2b_hex(word))
    return word
#字节非轮异或
def xorbytes(bytes1,bytes2):
    length=min(len(bytes1),len(bytes2))
    output=bytearray()
    for i in range(length):
        output.append(bytes1[i]^bytes2[i])
    return bytes(output)

res='B0CC93EAE92FEF5699396E023B4F9E42'.lower()  #enc
key = ''
for i in username:
    key+=hex(ord(i))[2:].rjust(2,"0") #key
A1 = AES(key)#创建对象
tail_pass=""
for i in range(0,len(res),32):
    tail_pass+=bytes.fromhex(A1.AESDecryption(res[i:i+32])).decode()
print(tail_pass)
print(hashlib.md5(str(username+pre_pass+"_"+tail_pass).encode("utf-8")).hexdigest())```

标签:username,plaintext,self,0x00,system,a1,range,login,NKCTF
From: https://www.cnblogs.com/ovo-fisherman/p/18124456

相关文章

  • NKCTF-REEZ
    IDA分析程序:应该是直接通过Linux进行./outputfile得到文件分析:先是一大堆的变量赋值,然后是一大堆的ollvm的混淆的算式之后再进行的是一个类似于矩阵加密的过程最后是一个异或操作整理思路:先是进行的是变量赋值,然后是进行的算式加减异或以及位运算,然后是矩阵加密,最后的结果......
  • As a reader --> Apollon: A robust defense system against Adversarial Machine Lea
    ......
  • 第六个OpenGL程序,Coordinate Systems 坐标系统 后续之 3D 3
    效果: 代码main.cpp:#include<iostream>#include<glad/glad.h>#include<glfw3.h>#include"Shader.h"#defineSTB_IMAGE_IMPLEMENTATION#include<stb_image.h>#include<glm/glm.hpp>#include<glm/gtc/matrix_transfo......
  • 第六个OpenGL程序,Coordinate Systems 坐标系统 后续之 3D 1(这个图形有点奇怪)
    效果:代码main.cpp:#include<iostream>#include<glad/glad.h>#include<glfw3.h>#include"Shader.h"#defineSTB_IMAGE_IMPLEMENTATION#include<stb_image.h>#include<glm/glm.hpp>#include<glm/gtc/matrix_transfo......
  • 第六个OpenGL程序,Coordinate Systems 坐标系统
    效果: 代码main.cpp:#include<iostream>#include<glad/glad.h>#include<glfw3.h>#include"Shader.h"#defineSTB_IMAGE_IMPLEMENTATION#include<stb_image.h>#include<glm/glm.hpp>#include<glm/gtc/matrix_trans......
  • make编译报错:fatal error: filesystem: 没有那个文件或目录 #include <filesystem>
    报错:fatalerror:filesystem:没有那个文件或目录#include(filesystem)解决方法一:修改头文件#include<experimental/filesystem>添加依赖在编译时,后面添加:-lstdc++fs编译通过。解决方法二:升级gcc升级到gcc-8或8以上问题即可解决:添加PPA存储库首先,您需要添加Ub......
  • System文件夹
    system文件夹是正点原子提供的方便构建工程包含必备函数和驱动1驱动函数?被定义在sys.c声明在sys.h正点原子命名驱动文件里的函数按文件名开头?(delay?)int中断缩写系统复位包含软件复位硬件复位看门狗复位msp是栈顶指针在IAP相关实验用到最重要的是时钟这个......
  • Win11系统提示找不到AppVEntSubsystemController.dll
    其实很多用户玩单机游戏或者安装软件的时候就出现过这种问题,如果是新手第一时间会认为是软件或游戏出错了,其实并不是这样,其主要原因就是你电脑系统的该dll文件丢失了或没有安装一些系统软件平台所需要的动态链接库,这时你可以下载这个AppVEntSubsystemController.dll文件(挑选合......
  • linux 挂载错误 mount: unknown filesystem type LVM2_member 解决方法
    解决办法:需要安装lvm2: sudoaptinstalllvm2然后按一下步骤:1、查看物理卷:pvssudopvs得到类似如下结果: PVVGFmtAttrPSizePFree /dev/sdbVolGroup00lvm2a--18.19t02、查看卷组:vgssudovgs得到类似如下结果:  VG    #PV#LV#......
  • Java Math类、System类、Runtime类
    Math类Java中的Math类是一个包含各种数学方法的内置类,它提供了一系列静态方法,用于执行各种数学计算。具体来说,Math类中的方法可以分为以下几类:基本数学运算:包括加法、减法、乘法和除法等。三角函数:如正弦(sin)、余弦(cos)和正切(tan)等。指数和对数函数:包括指数(exp)和自然对数(log)等......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99