Skip to content

Instantly share code, notes, and snippets.

@Cirn09
Created January 12, 2021 11:51
Show Gist options
  • Save Cirn09/82f21ffcd9bb8db4917812782e2186e1 to your computer and use it in GitHub Desktop.
Save Cirn09/82f21ffcd9bb8db4917812782e2186e1 to your computer and use it in GitHub Desktop.
rwctf_personal_proxy.py
from pwn import *
import binascii
import time
class Enc:
key = list(binascii.unhexlify('7d07cba30c2a82cf2b2119e5ff2c2e8d'))
i = 0
def __init__(self, key2=None):
if key2:
self.key += list(binascii.unhexlify(key2))
def enc(self, input):
out = []
for k, x in zip(self.key[self.i:], input):
out.append(k^x)
self.i += len(input)
return bytes(out)
cips = '''7805cba2092b82ceeb89060ae06c7ec2
f5a654c86b20842b791c1a53a6093832
0f6854f6aca247b925c630db5de0ed48
9dca44a75b3cf48c14c200c5bf2ee271
32d802905df15f4eda528cd7e4585f49
5c22402505d619f7819baa1c54625106
d5767d62db32e24408f94a2c4430db00
897c42ff20dba2e8c6cf6986fd1f1ac8
88c1946bbb65cdc61438f010d53262f9
3a6723c4568ab49b9741ca8c56e7b8aa
9acafe5fcd367bd790d246e42460b964
7de8844d4ffd573044a9d91da1efafc8
e3dfa6fcf444285350382453932b04f8
429daefb5846d4c2019cfee0f1118ba3
e8be21ddc0eeb36322a6913e6f60bd2b
e59a62f440893599bfc3195e2578ae1f
f26088726ce5739e9040710138aefee3
4c27552e8e0f62a6c8d30542a43077ba
ef9a172a3e0babc9af331d17e0c4704d
9f0c7642d4603008c1990021b9a5bd6b
89c8c09d60d8e75af02109740987f58c
ae4713cad92fef9c0ccc5a094522904e
da7510bf94276eef5cc87362a56477ba
e3803369ea4ff81cd4df24748276a5a1
776841f4309391522ebf0fa222f20e2f
e33d6b81f371e35479ba03a4d6b539c4
92aa92abda62cbb0167304f2826c0307
b56ba8513163e46778
7807cea30c2b2eda2b239cb1b7787add
0e35c98b58e3e6a1b7d8dcf1baa256f1
9f31155c1f2241e8d9d263c6692c336a
154cb2652ed11b8d094639a5a0d8d30c
4d666cd7babadcf0c9320658d40a3ab6
48a63dd377ce59736f5e8ed411227824
dee1bed7ee8e16e6a4402344480a8038
59edfb4cb2dff392920646da1aecd15f
946ebf86b0c0f99f991b006a59d9f837
02ab8edc9013ac0e3d76f5f97511348c
7f27b0eaaab409f45ed267327293a8e3
e8e87257aeb5293d1c9b73fa8dca9481
77ed2dbef73d3fdeef7c75496095ac4d
37a66d0595aa1914f5886eca4a59c48f
f9279518b72cfcffe79a609906b71670
690072bf579c543626daf855dfbf3da0
a5aca77f6e6db3634b75527c401ed535
fc299336040e9dd93cbb9177b1fc3236
15b4060cbc03ab36bb1250ce14908e5e
e70ff22ff332b27898ae84517dc099ec
183b420cb8c09b4809a252eacf2342ff
869e7e950cdf5a0246d178c836d7ae94
4a11f4ba9f4490e6a231f19e88c47fb5
2c6ad1f1df794249c4db825cd7a46013
9258140e12ab8a2c5ce7794c39e8f138
51bcf0dd873b3718e6e16168d7e763a8
a07d7d509adefed5b00aeef9387d634f
963ab6a9b5d6d6edaf24db8915d5aef1
880583a6b1a456bdb4bdb53183675b3a
32565b5372404f33a34a9ecc857e1283
b91ebfde22abede33de8f3d12a54a53c
7c5873f0c2dc91302710e279b445dce5
d86fcc6d3e8e539f830bd1c2c1e9ba9f
69793a1df414
7805cba2092b82ceeb89060ae06c7ec2
f5a654c86b20842b791c1a53a6093832
0f6854f6aca247b925c630db5de0ed48
9dca44a75b3cf48c14c200c5bf2ee271
32d802905df15f4eda528cd7e4585f49
5c22402505d619f7819baa1c54625106
d5767d62db32e24408f94a2c4430db00
8a7d41c627928ee9dcde629ca46637c1
f728e3dfb4c001fc0f21480b7c6883a7
50de82dc19132705f1c911f39ec674d3
d4471cbeb7cd2b117c9796ff4e71aa3d
e3b1ae9bca932dc63eee46ac2bfc4aa1
75787bb9f6b636e959a45f9007700d92
3b7d1f7c35c6d41b3c0e76f146cc1191
aa2ea9d34417cc9f99619f3a39b6d492
4009e384d19ba15c6503c3a5969aa91c
aee12a17fc3529ba79cc4e6e9b93da54
a4a97997c18fd6f6e7184ca357a8e5c1
6333ffca3718d2685bfe296af5251858
0108265dc8b712df75e1ff941b7ac89f
f938aab2fa2c6866d829d71cf7012e3d
7d1353c49fa6c7d9ff3ffa6ad5139007
c2f2b34c80252c26fde65b97dd6b1eba
74a3011b6d16816519ec536e3724ac2b
de0f3dab539265a5a8e95cc9e1d8d37b
ba4b52cb61a1883aee0ec2bc03fe7c1d
adc41e28e270a851d073e85aa4e407b2
3bd75fcd3a14ea4eb9b0c0bf96db704b
9202aa04062123a735510cb91222d7f9
3e3bca1ab5f241d62f9b90bc9f90501a
ee270c291d8303f44f78189771806329
57645e9775c92d94ec8adb64487cd977
dd05c177ae638a12606b3e8e8f5dea2a
13bf0da769915ec079e2b92d46750f56
1f22cba1ae0daddc08e3bdb72b9d4961
f950f278e46ecb15db92bab954ed3b9b
e4a205c080343328f08b511bec79c558
d7a7b6682d46e6b161230902fbfc5c12
2214fcc6a29d151ea47763344c67234b
056b7fa0be25410cfd6dceb8899097b3
22985e66afb75df905bf5fd415f5d937
e104c655f29dd56ca7c09659ad70c172
cb8ea9a47dd669523a1ce736a7fc923e
e8f07493bd3b5b0616968253e745015f
567628ebc060fa8f4a6edfaa49336e42
6ddbff724b524ca2c419d88dd1856ea5
4777fb6322a5c88e41096fd18a86457f
a0d1f81928a0e433d05f931f01cb16e5
ba4bf466ccbac3ad792bb670d6cf7795
442990c91bac74000a0b7cb353f7b7e6
c99d1a6355811d8c06e678ccb6f3dacf
3dab88507709a76548ba3650456f1707
1239a13e59e01d9b385b30ab00619b93
e37976f9eac2d13319f1ff2b6084b6c1
121518fad60c9c187e5d80372f593c55
03bd7f1f71f3c66e75f9ad27176496c1
9ed2a64d2d9a24034abcd2d3c97a13c8
62795f61e56dae73e491a82390d97473
642fb7d7a4ad8d7ebc12536c019cdfda
8ac0073dce61d4ce413bde9110b9db6a
780e65e444afea3f6d7b3be21f1c972e
46bae4aca4419ebfc6bf51228bd4d12b
ed0f2df853e4e3c6b902620040a07eb3
5c9ba361e58a94517582103add0e84ff
876c0f3f375bac7cd86802914b0a8934
488839b8340640c3083640af6ec4a7ac
532acb6f6279ced850d306a6a43514d0
715510976116b8def75a97bc10c5d4a4
cd257ff8faea1fc71202f73714b41347
10897e205f356da117cb8722d744fc61
f0df3a4dd54e6d2d67780d7e2ced2afd
d84fe9bbda88b842a2e8704e8889aff2
4915038e563ccc1668a339ff5f04859a
16fcfc12593fd114c7ec46b9285fad60
11dc36e7921f09a2523de0168b9c833f
14c2bf9caa3aabb73ab7b6d4ffbe401c
1ca056be4ddae4a2b5ff75df2b2d1003
1fd36f47aaa9c6c3c57cc607bee6de7e
0e0d416ea0c368feb0317fbb94c09360
d421886cbb4642d75788d4f6c1c7411e
e67b7850330f90c7f8db7a4d08228038
effc2e0a9fd8757e5d149048840ef303
6ddec318db3cb3bb78d078b8817c536b
081deace66df121e5e1485ea19cd41d6
4fc5690ed4bc145bcc5cdeeabec9c037
5135fc4d9f5de8f3514241d8f6bf7f66
d2768630c9f7c2c22025955634767a1f
25a636b1d36370bdfc6983ca96c2a9d6
7f27184d0bca459f966a6f890a023e4d
fd12e70fa1f909c57d97aa229da439a6
9a7ce7e0d580ac537fa2ddc65b18d0b3
db3f2309
7807cea30c2b2eda2b239cf1b7787add
84f00cd68875511996a4e50545fcb39e
aec1dbe067c9b8c2976e199cc5fddd32
dc07005b4dc48abc9e822cb1184b834b
8aa6505b5459fb3c32e8a63e5c0c1e9d
95216d36b8cc0808b14092a6911b0889
bcb57d4d50e680f45b97be4db67dea74
d8827a5d7b5a9e7b3b98b6c5bff8fed2
ea4c91d8c917d54e2d00c1053acf09be
862cdcf2e916f3e768b1a5fe0150694a
6158133542a88b1fc57a1ccf313d3777
70dbbe39a5ba4da93ce853bbb5376075
936791115d56bd5eeccf558de85ba83e
d40632c9143780fdd3342f564b3e11aa
417efe6f94368ec522ba451521065d6e
e04c0b3bd6976c0b5d42f0786ce1dda6
01c2199f7a109c75d7a1c62259a32f45
fba90ce74b5da0daced0579a64c91b71
983dbc10e860dc13298755d4089bb44a
03dafbd82faab6ad16b9dd57c26c04a2
bc7be71f1f571f402faa52d30ed94128
f30a00a1dcd5dbf772d27035f4fe7267
523e15f123e28bb97e7a0b7750321f55
4ff157d1b863e7375f356d2e66b35d08
fa57191067833a49182955c199f2d6d2
6c46a4147c8423a0e6b3d34516f17a65
d6ebd543e051bb7a9e187e0a24e91959
210eba033ab6e2239cc5351c0256647e
17bd5d51ce34080fbf317a2a7fb2dc46
61ff95befa03935622a95d92ccb12441
2cf35fb238c2d31f01ac5f7e8ec313ce
c5b87a5016984484526d6874e6270ae9
100b6c4ee6f0a14ff0ea7d77d8142c04
47f9716371604c'''.split()
payload1 = Enc().enc(b'\x05' + p8(14+16+16) + binascii.unhexlify('fffffffffffffffff9ffffffffff'))
# key2: 189410e31465117b000c14151d110066
# skip: ['88c1946bbb65cdc61438f010d53262f9', '429daefb5846d4c2019cfee0f1118ba3', 'da7510bf94276eef5cc87362a56477ba', '02ab8edc9013ac0e3d76f5f97511348c', '183b420cb8c09b4809a252eacf2342ff', '715510976116b8def75a97bc10c5d4a4', '5135fc4d9f5de8f3514241d8f6bf7f66', 'd8827a5d7b5a9e7b3b98b6c5bff8fed2', 'd40632c9143780fdd3342f564b3e11aa', '417efe6f94368ec522ba451521065d6e']
# payload1 = Enc().enc(b'\x05' + p8(14+16+16) + p8(0xdd)*14)
# key2: 1894103d1e941128007814bf08001186
# cips: ['88c1946bbb65cdc61438f010d53262f9', '429daefb5846d4c2019cfee0f1118ba3', '02ab8edc9013ac0e3d76f5f97511348c', '5135fc4d9f5de8f3514241d8f6bf7f66', 'd8827a5d7b5a9e7b3b98b6c5bff8fed2', '417efe6f94368ec522ba451521065d6e']
# skip: ['da7510bf94276eef5cc87362a56477ba', '183b420cb8c09b4809a252eacf2342ff', '715510976116b8def75a97bc10c5d4a4', 'd40632c9143780fdd3342f564b3e11aa']
# payload1 = Enc().enc(b'\x05' + p8(14+16+16) + p8(0xff)*14)
# key2: 0a02864e50d0023e4a10e29602bf3b4e
# cips: ['da7510bf94276eef5cc87362a56477ba', '183b420cb8c09b4809a252eacf2342ff', '715510976116b8def75a97bc10c5d4a4', 'd40632c9143780fdd3342f564b3e11aa']
def test(e, payload):
while True:
try:
p = remote('13.52.88.46', 50000)
e.i = 0
# payload = payload1 + p8(x)*32
p.send(payload)
a = p.recv()
p.close()
if a == b'\x78\x07':
return True
if a:
return False
except:
time.sleep(3)
def find_key2():
# p.send(s1(1))
e = Enc()
know = []
# 跑一下哪些可能是key
for x in range(0x100):
# p = remote('13.52.88.46', 50000)
# e.i = 0
payload = payload1 + p8(x)*32
# p.send(payload)
# a = p.recv()
# p.close()
# if a == b'\x78\x07':
if test(e, payload):
know.append(x)
print(f'found: {know}')
padding = 0
for i in range(0x100):
if i not in know:
padding = i
break
key = []
for i in range(16):
for x in know:
# p = remote('13.52.88.46', 50000)
# e.i = 0
payload = payload1 + p8(padding)*i + p8(x) + p8(padding)*(31-i)
# p.send(payload)
print(binascii.hexlify(bytes(key + [x])))
# a = p.recv()
# p.close()
# if a == b'\x78\x07':
if test(e, payload):
# e.key += bytes([x])
key.append(x)
break
print(binascii.hexlify(bytes(key)))
keymap = {'7805cba2092b82ceeb89060ae06c7ec2': b'a6f274e74b68d07f29332b7d9704327a', 'f5a654c86b20842b791c1a53a6093832': b'601b20cc8c937e8b0bf706e373d3dc66'}
with open('keys', 'r') as f:
keymap = eval(f.read())
skip_list = []
def find_key3(key2):
e = Enc(key2)
for cip in cips[]:
if cip in keymap:
continue
if len(cip) != 32:
continue
# 此时跑不出来,收集起来下次跑
skip = False
for i in range(16):
if cip[i*2:i*2+2] == key2[i*2:i*2+2]:
skip_list.append(cip)
print(f'skip: {skip_list}')
skip = True
with open('skip', 'w') as f:
f.write(str(skip_list))
if skip:
continue
pla = bytes([x^y for x, y in zip(binascii.unhexlify(cip), binascii.unhexlify(key2))])
payload12 = e.enc(b'\x05' + p8(14+16+16) + b'\xff'*(14) + pla)
know = []
# 跑一下哪些可能是key
for x in range(0x100):
# p = remote('13.52.88.46', 50000)
# e.i = 0
payload = payload12 + p8(x)*16
# p.send(payload)
# a = p.recv()
# p.close()
# if a == b'\x78\x07':
if test(e, payload):
know.append(x)
if len(know) == 16:
break
print(f'test: {x:02x} found: {know}')
print(f'found: {know}')
padding = 0
for i in range(0x100):
if i not in know:
padding = i
break
key = []
low = []
for i in range(16):
for x in know:
payload = payload12 + p8(padding)*i + p8(x) + p8(padding)*(15-i)
print(binascii.hexlify(bytes(key + [x])))
if test(e, payload):
key.append(x)
low.append(x)
know.pop(know.index(x))
break
if x not in key:
for x in low:
payload = payload12 + p8(padding)*i + p8(x) + p8(padding)*(15-i)
print(binascii.hexlify(bytes(key + [x])))
if test(e, payload):
key.append(x)
break
print(binascii.hexlify(bytes(key)))
keymap[cip] = binascii.hexlify(bytes(key))
with open('keys', 'w') as f:
f.write(str(keymap))
with open('keysre', 'r') as f:
if cip in f.read():
return
def show():
pla = ''.join([chr(x^y) for x,y in zip(binascii.unhexlify(cips[0]), binascii.unhexlify('7d07cba30c2a82cf2b2119e5ff2c2e8d'))])
print(pla,end='')
for i in range(len(cips)):
cip = cips[i]
key = keymap.get(cip)
if not key:
print('='*16,end='')
continue
key = binascii.unhexlify(key)
cip = binascii.unhexlify(cips[i+1])
pla = ''.join([chr(x^y) for x,y in zip(cip, key)])
print(pla, end='')
show()
if __name__ == "__main__":
context.log_level='error'
context.timeout=5
# find_key2()
find_key3('189410e31465117b000c14151d110066')
# key2: 0a02864e50d0023e4a10e29602bf3b4e
cips = ['da7510bf94276eef5cc87362a56477ba', '183b420cb8c09b4809a252eacf2342ff', '715510976116b8def75a97bc10c5d4a4', 'd40632c9143780fdd3342f564b3e11aa']
payload1 = Enc().enc(b'\x05' + p8(14+16+16) + p8(0xff)*14)
find_key3('0a02864e50d0023e4a10e29602bf3b4e')
payload1 = Enc().enc(b'\x05' + p8(14+16+16) + p8(0xdd)*14)
# key2: 1894103d1e941128007814bf08001186
cips = ['88c1946bbb65cdc61438f010d53262f9', '429daefb5846d4c2019cfee0f1118ba3', '02ab8edc9013ac0e3d76f5f97511348c', '5135fc4d9f5de8f3514241d8f6bf7f66', 'd8827a5d7b5a9e7b3b98b6c5bff8fed2', '417efe6f94368ec522ba451521065d6e']
# skip: ['da7510bf94276eef5cc87362a56477ba', '183b420cb8c09b4809a252eacf2342ff', '715510976116b8def75a97bc10c5d4a4', 'd40632c9143780fdd3342f564b3e11aa']
find_key3('0a02864e50d0023e4a10e29602bf3b4e')
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment