[羊城杯 2020]babyre

本题2个输入,第一个是DES加密,输入的是第二步AES使用到的密钥.

第2步所在的函数需要动调解SMC.

进入后搜索关键值(S盒),发现是AES加密,另还有2步加密,需要深搜(解不唯一)爆破得出.

题目逻辑不难,但是比较大,脚本一开始没写对QWQ

python代码如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# 添加库
from Crypto.Cipher import DES, AES

byte_604100 = [
189, 173, 180, 132, 16, 99, 179, 225, 198, 132, 45, 111, 186, 136, 116, 196, 144, 50, 234, 46, 198, 40, 101, 112,
201, 117, 120, 160, 11, 159, 166
]

# 输出16进制
# for i in range(len(byte_604100)):
# print(hex(byte_604100[i]), end=',')
# input()

dec_list1 = [0] * 32
dec_list1[31] = 0xc4
possible = []

'''
for ( k = 1; k <= 31; ++k ) // 下文已知byte_6040D0[],可提取出
// 也许需要爆破input_flag[]的最后一个字节?
// 30行的求模这步应该构成一个有限域,不影响逆运算的单射性(?)
byte_6040D0[k - 1] = (2 * (input_flag[k - 1] ^ 19) + 7) ^ ((unsigned __int8)input_flag[k - 1] % 9u
+ input_flag[k]
+ 2);
'''


def dfs(idx, cur_list):
if idx == -1:
possible.append(cur_list[:])
print(cur_list)
return
_cur_list = cur_list[:]
for j in range(256):
test_encoded_byte = ((((2 * (j ^ 0x13)) + 7) ^ ((j % 9) + _cur_list[idx + 1] + 2)) & 0xff)
if test_encoded_byte == byte_604100[idx]:
_cur_list[idx] = j
dfs(idx - 1, _cur_list)


dfs(30, dec_list1)

for i in possible:
print(i)
print(len(possible))

DES_enc_list = [10, 244, 238, 200, 66, 138, 155, 219, 162, 38, 111, 238, 238, 224, 216, 162]
DES_enc = b''
for i in DES_enc_list:
DES_enc += bytes([i])
print()
print(DES_enc)
print()
DES_key = b'\xAD\x52\xF2\x4C\xE3\x2C\x20\xD6'
iv = b'\x00' * 8
DES_dec = DES.new(DES_key, DES.MODE_CBC, iv).decrypt(DES_enc)
AES_key = DES_dec

# iv = b'\x00' * 16
for x in possible:
for i in range(31, -1, -1):
for j in range(int(i / 4)):
x[i] ^= x[j]
res = AES.new(AES_key, AES.MODE_ECB).decrypt(bytes(x))
print(res)

运行结果:

1
2
3
4
5
# ... 略 ...
b'\xd0UH\x9e\x1br\x11\xb0\xe4\xb1kc\xd3\xbd\xcf_\xb0l>\x9cv\xe7\x9bg\xe4\xcdm<J{W\xf1'
b'GWHT{th1s_gam3_1s_s0_c00l_and_d}'
b'l\x0b\xa6b\x82\xc8<g\x08B\x10r6\x1b\x9c\xd8v;\x86\xb7\x0e\xc6T\x82\x1e"U\x1buP\x95\xba'
# ... 略 ...

得到flag为:

GWHT{th1s_gam3_1s_s0_c00l_and_d}