[FSCTF 2023]ezcode
...
给了395行的python字节码
大致这个逻辑:
def func1(message,key):
s_box = func2(key)
crypt = str(func3(message,s_box))
return crypt
pass
def func2():
s_box = []
pass
def func3():
pass
def encode(c):
s = "vwxrstuopq34567ABCDEFGHIJyz012PQRSTKLMNOZabcdUVWXYefghijklmn89+/"
return base64encode(c,s)
pass
flag = input("please input your flag:")
outputs = encode(func1(flag,"XFFTnT"))
if outputs!="ADkopgjJFP+28RYgXUxU2Oej":
print("think again")
else:
print("Success!")
注意到 ROT_TWO是交换栈顶两个元素
分析下感觉func2和func3就是RC4的init和加密
只是RC4加密处有修改
14 4 LOAD_CONST 1 ('FSCTF')
6 STORE_FAST 3 (y)
...
...
...
120 BINARY_XOR
122 LOAD_GLOBAL 2 (ord)
124 LOAD_FAST 3 (y)
126 LOAD_FAST 4 (i)
128 LOAD_GLOBAL 3 (len)
130 LOAD_FAST 3 (y)
132 CALL_FUNCTION 1
encode是一个变表base64
逐个逆回去解就行了
base64解得:
enc = [0x3d,0x2e,0x07,0x23,0x4d,0xd8,0x51,0xef,0x9d,0xf2,0x0c,0x74,0xc2,0xd0,0xad,0x76,0x7c,0xb7]
然后RC4变下形:
#include<bits/stdc++.h>
using namespace std;
signed main(){
int base64_table[] = {0x3d,0x2e,0x07,0x23,0x4d,0xd8,0x51,0xef,0x9d,0xf2,0x0c,0x74,0xc2,0xd0,0xad,0x76,0x7c,0xb7};
string key = "XFFTnT";
string key2="FSCTF";
int s[256],k[256];
int j=0;
for (int i = 0; i < 256; i++) {
s[i] = i;
k[i] = key[i % key.length()];
}
for (int i2 = 0; i2 < 256; i2++) {
j = (s[i2] + j + k[i2]) & 255;
int temp = s[i2];
s[i2] = s[j];
s[j] = temp;
}
int j2 = 0;
int i3 = 0;int cnt=0;
for (int i4 : base64_table) {
i3 = (i3 + 1) & 255;
j2 = (s[i3] + j2) & 255;
int temp2 = s[i3];
s[i3] = s[j2];
s[j2] = temp2;
int rnd = s[(s[i3] + s[j2]) & 255];
cout<<((char) (i4 ^ rnd^key2[++cnt%5]));
// cnt++;
}
}
flag:
FSCTF{G00d_j0b!!!}
