随笔
1.周末有点忙 抽空参与了招新赛 密码的基本上都看了一下
主要复盘一下这个师兄出的也是最少解的题吧 xmctf{Th3_L0ud3st_Wh1sp3r_1s_1n_th3_PC4P_ju5t_RSA_4nd_4_L1ttl3_R3v3rs3}
题目给出的是apk和pcapng 主要分析考的还是流量分析和re?
首先打开流量包
看到所有的流量都是基础的tcp协议 追踪相关tcp流 将外层 hex 解码后,可以还原出真实协议
HELLO Adic
HELLO December
MSG Adic
MSG December
OK December
这里可以知道两个用户名是December Adic 和 密文位于 MSG 的第三段 cipherhex
然后打开jadx 搜索MSG 
审计代码看到 try {
Z z = Z.INSTANCE;
byte[] bytes = $msg.getBytes(Charsets.UTF_8);
Intrinsics.checkNotNullExpressionValue(bytes, "getBytes(...)");
String ct = z.x(bytes);
$ww.write(this$0.strToHex("MSG " + $to + " " + ct + "\n"));
$ww.flush();
// ... 核心加密逻辑被封装在了一个z的单例类 打开后
System.loadLibrary("u"); 这说明真正的加密逻辑 被编译成了一个底层的 C/C++ 动态链接库文件 应该叫libu.so
将apk后缀改成zip 找到D:\题目\polar招新赛\whisper\task - 副本\lib\arm64-v8a里面的libu.so(我是存这的)放到ida里面 搜索Java_com_example_polarisctf_Z_x 按f5审计伪代码
确认其加密逻辑应该就是c = m^e mod n
v58 = _JNIEnv::CallStaticObjectMethod(a1, v5, v11, 65537);应该是RSA 的公钥指数 e = 65537
N的话就藏在byte_16B39里面
将 256 字节常量提取出来 并对每个字节异或 0xa7 即可恢复模数 N
N=1359289594911861706114410263039030781889501874535854365263922081700238941971104298775704733565166223684142297360239921080802503206559783832007855750334958326368538063619171609885459927586035302195455632768752776216956554963499448005445126927786242177611054827389185330231903625073278897391670581843035646913248732183168634640757720768465749375619368398241192399373901594871829578828976563808877743744957547821735170186252185438724528024345696208656639600908162373375395068724897936084947703562847353279296559280237330305142321357271051046159817216535038453709580872952011626071015235951428711736008848437349560705229
还记得一开始看到的两个用户名December Adic 其实就已经给了提示12-Adic 脚本如下 只需将N和base的值改一下就可以得出结果
分解完成后就是最简单的RSA了 最后只需提取密文c(需要反转 因为在输出时做了reverse) 再转为大端整数 将他们一个一个解码即可
from Crypto.Util.number import long_to_bytes, inverse
p1 = 36868470706740660787721421464905401836638682160738916157575932167838186821823203816862504942939622298233577061366025690141558155900129732569808373082717267322546448162330554815263837048444519812861283264131597010739527893818171189592788916363228096169326008940877347443099182961460083037598510103570883109069
p2 = 36868618872855576637213398869023300279772349207932113322672254231788065702824758828453490531917820959873836332987860364163434774496675567525583711123546693926958840058899873462649808625168239539537851361520061079636380707986615865669345690906899493078341494168035339192519609709750087267610727174510361968641
N = 1359289594911861706114410263039030781889501874535854365263922081700238941971104298775704733565166223684142297360239921080802503206559783832007855750334958326368538063619171609885459927586035302195455632768752776216956554963499448005445126927786242177611054827389185330231903625073278897391670581843035646913248732183168634640757720768465749375619368398241192399373901594871829578828976563808877743744957547821735170186252185438724528024345696208656639600908162373375395068724897936084947703562847353279296559280237330305142321357271051046159817216535038453709580872952011626071015235951428711736008848437349560705229
e = 65537
phi = (p1 - 1) * (p2 - 1)
d = inverse(e, phi)
ciphertexts = [
("December", "047a909920596822c8a618a5f2c4db7e53870013e460843f5098fc4ccf8497162ce8eee2c144ca5fb5204f8ed52a20b74706195300fac2a2fbf4e560173d94faabe8e446a43b132e003050d87f224f9b00e67341d9428d381966ca8396d473cde3363c8eeff80ce25622257e5fcde67ba4386fb6745624f5c51d574dc08c432588d4bca72918a31bb7fd0f32700923b5f9b079f3fe426b7a3ff847f337824eacab935a2d7799327166fb18469d04b78af295d11d4858c06aeaceb98be2f72649024b0eab90999a29af92a06cd53db5728898b35664b7ea61fc6ac1a8c007491e5c664d7baf3458c9fcbc28f2a979df3ee3a1f8a835214894e62b90848fe7bf07"),
("Adic", "bde624ad8cd6e70a55989de3dd04abacac5072a7cac00c7c9aba6b29af3340cf98ce7272433a036b40d64f7b333c98ec83174146b63872ade909e2fb7cf99d1b41d93d080166ce6d7b7f8fb2dee89f492386f3a4f7e0f4e2a3d095f8d0c4c50ec32109d2ab565f5c1343daa55c1cbf9a7e515db60359537108423eee423539e3e1b5e4dc932295a29ae20a6ca157bf506c4dbc9098cee6fe75a6a39f65364f050d59d977beb93edd1e878f213c325a065c2fca26d16453320fbe9a2a9f86c4727408d15895166c18f548c242d47dd42b5326d3b2935787ae48deebcdd4bd45e47ed26ec6a9739b7dffa3c4f8d3551d9a876540eb51c8382500fea02b76385c05"),
("December", "c835d2e7f57f95b9a5f1a0fcaafd17495460ec91bd262e06d5cb912f9295c6ee14461eca4c546aa0a142ae8f083fa71cb7304aa1ca43cdbb480537938f0f6c189c8cfb46774114469ccb853569d9b65dadc0b0769f048526ac8dfbcc144e00b507f19be9d919d2aff4ad8c9047cce38e8238504008915d20df478d63805178d18236caa9415eb64415464fa427cd744afed1149ee7006d518dad04128ff5c49fb959dc8956faa7a52a094650c731990f97f80378ee57649c75e727bc3a0c17e1b42c95bc48fa9e2b7602463a8f5739b5e0fa592bd71ea91e957fae5c10f1f9b8def7f8d0ce50194c5508935e442cb785e6ac3766bbf048a1ba2cd15c9f65fa00"),
("Adic", "ce28b87557d66446f1c1d2812699c11946c1761aaed4e543f6a39c3eabb45b7a994e1296ce33feee1b296ff8dd435a89ce1a0a56742ae34a8f88db8719b3054eb6b8c742e22e88d64ebb94c8b3e45315c236a1545624b4f1af44876aece9159673638bdebbbb4e8220995f40c7c2f8457af9d012743c52dd67a5fd865220edc3bf8801f9e1a1f469ca3896322375b0ee8048fcc6132b809604b48d539f6ed9111b36896f56965d9eafdc88e572c3e26c7cf81c682b5f1c62dc0975fe1c9059f4e709329411bd1775a285e53ef60dacd2993f67b79d39888d60ffe3df39891b991169914d99c116ae83c1770f6a7ddcebb3d14e2f27ebbd0b80e5d663674dcc07"),
("December", "71597e921306a13a69a8f662dd1a35f5771dac7e4c459fce26b952c4493aa1827393f88bf29a90c04ca649089199b557bc784f7a00dea418c4ec1b8bb017820093e7441f952922a48c8759654c90ef34791a4285ab2edd4e3d80e87a93dfef685ea5f159da1272858a8efeb2be6b78c1545bfaf00db17757996066912226bb1fcd730708ff38901ac28e9d242fcb0f1d3d9578fa38e90bc88cf73d1626c161794ed5f534e8227c846c100d5b23ef564ea8c13b85c2a85aa9c0ab9b4dfbf7689b7138af2f7f37e149d31806abfb779d47e6ef6baf7e99ce7cc27e5752168f7e76c75d95301420ba2eefdc9678f75438e049f67b15e00424f55f2cb73dec116101"),
("Adic", "78e7a17dcb0b1146a89ed1f57c67ceb47dc91b322f50fd82912582fc786aad84456f8a241d1445ffe06e87c60396eb08893e03d96eb39f8adc102267bdda7ccb888b25e4674c3c76e88ab6abe06ff70aa010ca3dd85700d84d2a33f5c32999ce522e2005c23f133f8c6c9d3f39e770c56e0d6d250aebb702f82c82318b334ab8398507a94dd9bcaeb8f0a75c46880a2e416a329a0a262d23eec431c1b9b57949ff13b8ba99249bb66450d1a5b9daf2cd27714e95b4484fe49bd1bdb9d3d7ca437324e889cb38e8e0c970441aefa06d2f1c199b2fb0e5f21ae618c7365f11f752c16d33ba10a0e57d6e1b2ebbfd9e01de14e37c54ac67f9ed7c972d4ca5624407"),
("December", "84b0d7e8bc786aa0f7d84e9f946315fe2ed0dc00a69875a101b51bca6873b3c36183fc7e05965aaefd310c930bb543265b5358640e9c48c46aa5ebecf3769b5b5c9463731ae0f3fd6b6b8ea498d420d06afc90dfddebba3c85015a9c9c9ea9d57d7867fa6acfe0facd5307fae3b456347b782da15c911b5533a5026888441fffb3f39528c75587dfa1e35183ef0f8b1873160d962f1cb8d1ff6b38067368d2b17ebadca0eb291a37e6ccc0b64dcc774592ac57e70a88382d228e78c27991be46d32ccf0e544d49151c13ad6532ce0b73250265cbf467e60d8f33ac98f48d1b38ddb62bc83c34f67619ce9d9e2a7af85eedb9bfd9f8d94385fee6c3d135bd7002"),
("Adic", "2c1577527b6c5c9fdf39141b67e6f7ca770bf07752350c1b3fb2034b65a2dfb463118635471097e6dee328ef5385b7e3799c6265858e83bb99b6d5d69e807dbac41d68f8b6526cc8185985a1104791e2367f8a62e8ce2e8eb397808bafc11c04a9f8d0ce3871d357634afb9081cf4982ecb9d0d79bce1193f636805a91675ae25e68364dca040eb989d349b48497fa26f87507ebfabe32fcbc13b4c0c4adc925e61ef405fb9b07dfc10df344928a711fd6ad82b3e09b0fa08c91a26a83a8c44b09082d5ee85510971286c7e3b596c6e98853973ab573ba266aeb672525a4e26c68db043050b2088212479a8ce6db29e32f66934e5a76e69626376453c8694a07"),
("December", "29eecb7908930bcb7b88ab2e7ed0c0978062709fb21984cf2c1a72492a0dca65a6e9f4dcf224fb2cf938d0f7e0622672aa68e107c742044487d670c6eea2609273cc32ff91a08b048866cd55c32607147015dbf939ab5c10017cdac7d2aea08aadd48acfee9f1e89130e434a5e0ed73c2d839a2f468f2c870b7f3b66a6591d855d77ef22e3ad473dc4cab9a632ca2fbae3be07af6b34d0211f37f594df2e821b98dcbd026a0a14366edb58fedace0dc326a4acc934d9acf2f6c328a640f3c8bd5f8da85761cc0666b64a030a8e73570c9eb65a31c3742c0fd7143fd922a7a0870cce27bb7297fe3f42bc2e7e6ee14050a1e45dddea881b5ca5b37cd21c21e004"),
("Adic", "aa88fa32b8e4b6817a30cb7e7c801dad36135e2931cfc5b7c77a9ecc3de29d2b66567e91242e29246cc65c18b7753ca0f6422ae01efaa3da85823b81aca9cc1c2f108a9a84ddcdff5fa1c39a380a4a6e669eeca6f07ec7100f52d2a8a743c205af3716377466d878c582961018ae6643373092a90ea96f31887cb7b7a68bf60fb9d198a5b096a36203182143cf1428919b95a469a45ff0caa82e75e7c10f4522b2eb30c5d12d63ab880e02632d248dee1a2f0771e56fb674f9e489315ddd3fab40ff13b3569a20c72bc192a4ded0836ad0f19c11f2fbdaf5590d07e496418c17d91622a2ba4fb92405d57d411066baa5f1b464fb4b9a524f673827e2b1ddfd05"),
("December", "2d5853750bb6a9305a14fd232b59b1eeb72d5c504d58694a291086a07124b7c86f293186677fcaaca5afd59effd7d2ad6923422a9cdd90528d033e92ac115ff0b811a3c1804f88a78652540c633a3a3500a02b0b7c9b8093b7735fd151d5b871b06e25e7aaa019ecca2d8860733eb29d3b417fe7a5fb9f6a3dfd3ee8c84d82b70cb3ee9c4be7ea8a478d6fc24964b4e005d226c598b99b43a3a35af3051d6069767944f19f69bc8057c23228e97a019c15336491257c7a6ac5bf9af2d20497d3c47cb0513898a5783cd82c59ed3fb4c1df30dbcbe1c623c779d37680196a1b3876d6799832799628a6c5d5742aa9e886b167f9025c99c043b26360f873374001"),
("Adic", "0cadb5e420f00f0e38768e039d955ca8f9e20d06a143af56fa54b35e383bddb0fdf973cefd8a71930bd4cb01358ea83b8bee77b771d33c29adbbcca6631dd63bcd413854d341b12e8459dab56999a37365d70ff6bf2b11775590b1a1c195a381e7e6f780a16610a295e1cb0a14d9128b02ea9b95ce6bfcc41f832fe70e9134bf3b13a1b10589bf75e19c4540a55a1df732f232e239794b83e97968fc4dd9b886c0c3fe45534cc671438120b792eacea099a274f35fbe3bb867ee485763ed70099e85da7a20f554db31aa74595059fdc963fceadf636e8814c7577d638fc79d3e00bbc46252a860810b3e6bfb4e6dd636c4ceb9c8cb414709934766263ff49605"),
("December", "773a4e102fd1e1db257ddf4f18fd5084de50c6c12ffaf99796075ebf5e3ce6dc2adf71de4e67bc5c0fa70542e8fad995ab54d3b0a5b547fd61e827e4f2c7010a01a0524f17842cc32dd855571197710039170452efcfd642b30f4dcc8f4ccc40d1c1df7fcf258c96a1c4c9035dc88b3897ad957441ab205091d60d74906ac3f7051b938b176687ac6877fd2745334daff660ec36a217f9d09d1128a5b78dd66ba88648068e6ccb1368195cdac1e3ac90e53e103ff7310069bd52f7f417bf16278b6498ebab3a2d62b57d29779c026d12259330a402b8db8417737feee2212f59ff290ac8f28bf5a14efbf5c6cf7199d21d31461174eb6dc768fc6439b1bd2908"),
("Adic", "1d12822bd0d6171e61a9c435f207002745e24fc97dcbf43b2e6f084234b97a83a844bbbe59d18434dc6b258fff8417481d9ced2775bea858481631e95ff96ef04bea577e509e14290e664167304baaa949dca0913bd01027ed2617654a4b830a9b3b1ab5040f3016ef414887855fa94b79af9ff68005868967dd2d67d94bcb51b619981d7f0ae5d43960160c84f21189c21b43efb3829c4db7441ac46fe2010d0a4abbc4dec3c7dde39fadeb32110869078394b26dde0a03be39419479d00eb6ea575a683dab78eee7446db54d3e95f1c7e4a733a3f35c40f168d5d15fee4086f8d088d658e409ef14a39cf2b93217af96b0358c8c89027d998c494881ccd902"),
("December", "5a77e012b59116a90293bf6de5be13083e9ca6e7e306147db1c29d3727b65f2fa80835aa55a3c1610879f39e71a446dc9048fc377cf11a8611fb8497f3d111869d05b806724cecb0a3271691033409fbb54c6c98d3f032e830d323473134ce26c6f4fdeddab8e301e5d464b475e27f21cca89dc712777ad51c9440846f77ea1e187189f0c6c4b36d73304153136f5adfbf0d87128473cdbcc57182dea463cfb4a79fe285e1343aa958d2d1143351759de20602727ebc863cbcd12ffcd5f203c3f8f1a7ced78e2a3917c284d7cadd08423828474e1d48ebe7d0b3c4e374c36011d44e5c5d74259f2263fa9979c2478a20083470ae988e8301b94f929201e27705"),
("Adic", "5c0cb49c727b24d5760f5a17030059c666f45a9b70edddb26b5487c730cc11ccbbc4280941dd259dcd44e668eca8a782c36aa6db13bb24afbde22ab6795497b3f40588d75e62cd652252559e2b4be5f65054b057ffeced08961a8ae4aaf74c27606a574c5755892c618fd15ca8358281a279c427554770ce554ef3201710239541265ad48964691da0c4f11037c3442d0292bcf619ad7eee578ee3b06018fb4dc81c41b8b2a5624fdba3d25a0415078d2b8a9a6c03e256a3e79180c389fd50fc13152e8d650347e59d163f0dd468ee9d0868fa50ad0eb5028d3aa7f24001365577fed2617985b313dece2da6179510f135e622f296bfacd581428487cb3f2f0a"),
("December", "d5fb3949907757d34d6a8e3c20756d4f2aa1d3b0c4fc2b6326bbdebbb3b9b284be99d989a135964d3cdb7d92b27e1b5082aae0e5d5c5475bcd2550149cecb751bfba6c448512d21ebabec173d990b803523c78708369b1099c6bc6af58c6a472445edde615e7a420e13927b77e4c77f529d1c0821e096554498d97315d6f0da5c4f8e75fa127fb67baaff3493e9c66570074cbf222d6f05eb7a7f5e05d0334074e832a104beb39f153e62dc9bac9264f6e965a127fa9288dfa2f84ba55d0d705d60ffb72f5799d809b8ae920a41aafd31ae4c1b5f4ce30a1eac99bcd7f22295fe79e3d11e4def06072208e9a612316276e0f1300377c55e09b90e51bd65e6f01"),
("Adic", "aacf37de5871dfd601933ece066fe1cba4810c3e7fab1017140d92e6d5b6412bb9dcc53e738ae0747430d9893a31972448c20d9d4d9656334f48856ef347e281d067f1f7da577f2e9cb70a84c820fe727a00bb5489ac5bf9751e350aa3dc53a810f7b90da3ef69e89d3f80b70389f9d57c9f6f1615bb8c32f4fffde4622d621cac8a971ececce9a8e4e41b5df17e756c629b1f6776cf4204c88ae9be088a41982ae94e4b334f6a901da4a6df95050784bad8ad683cab98bb8104017f572527d45f6e1670fff4c253512ec0dc4ed495e6931fa63fb679b918af4e23e5e777e91c646efe1adfb1e0842528d9af1c0b1eff2077333ed7c189065cac5b354ce92300")
]
def unpad_pkcs1_v15(m_bytes):
"""处理并剥离 PKCS#1 v1.5 的填充"""
if m_bytes.startswith(b'\x02'):
try:
idx = m_bytes.index(b'\x00', 1)
return m_bytes[idx+1:]
except ValueError:
return m_bytes
return m_bytes
flag_parts = []
for idx, (to_user, ct_hex) in enumerate(ciphertexts, 1):
ct_bytes = bytes.fromhex(ct_hex)
ct_bytes_reversed = ct_bytes[::-1]
c = int.from_bytes(ct_bytes_reversed, 'big')
m_int = pow(c, d, N)
m_bytes = long_to_bytes(m_int)
plaintext_bytes = unpad_pkcs1_v15(m_bytes)
text = plaintext_bytes.decode('utf-8', errors='ignore')
print(f"[{idx:02d}] 发送给 {to_user}:")
print(f">>> {text}")
print("-" * 50)
flag_parts.append(text)
2.然后这周花了时间学习了一下王爽的汇编这本书 为之后的re或pwn打好基础说是(也可能完全没用吧 毕竟ai已经可以大秒特秒了 没有人类发挥的空间了)
3下周可能会跟着师傅们学习配置一下agent应用到实战上吧 挺有意思的 之前配置的openclaw有点隔靴搔痒了不好用
浙公网安备 33010602011771号