Created
January 12, 2021 11:51
-
-
Save Cirn09/82f21ffcd9bb8db4917812782e2186e1 to your computer and use it in GitHub Desktop.
rwctf_personal_proxy.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
from pwn import * | |
import binascii | |
import time | |
class Enc: | |
key = list(binascii.unhexlify('7d07cba30c2a82cf2b2119e5ff2c2e8d')) | |
i = 0 | |
def __init__(self, key2=None): | |
if key2: | |
self.key += list(binascii.unhexlify(key2)) | |
def enc(self, input): | |
out = [] | |
for k, x in zip(self.key[self.i:], input): | |
out.append(k^x) | |
self.i += len(input) | |
return bytes(out) | |
cips = '''7805cba2092b82ceeb89060ae06c7ec2 | |
f5a654c86b20842b791c1a53a6093832 | |
0f6854f6aca247b925c630db5de0ed48 | |
9dca44a75b3cf48c14c200c5bf2ee271 | |
32d802905df15f4eda528cd7e4585f49 | |
5c22402505d619f7819baa1c54625106 | |
d5767d62db32e24408f94a2c4430db00 | |
897c42ff20dba2e8c6cf6986fd1f1ac8 | |
88c1946bbb65cdc61438f010d53262f9 | |
3a6723c4568ab49b9741ca8c56e7b8aa | |
9acafe5fcd367bd790d246e42460b964 | |
7de8844d4ffd573044a9d91da1efafc8 | |
e3dfa6fcf444285350382453932b04f8 | |
429daefb5846d4c2019cfee0f1118ba3 | |
e8be21ddc0eeb36322a6913e6f60bd2b | |
e59a62f440893599bfc3195e2578ae1f | |
f26088726ce5739e9040710138aefee3 | |
4c27552e8e0f62a6c8d30542a43077ba | |
ef9a172a3e0babc9af331d17e0c4704d | |
9f0c7642d4603008c1990021b9a5bd6b | |
89c8c09d60d8e75af02109740987f58c | |
ae4713cad92fef9c0ccc5a094522904e | |
da7510bf94276eef5cc87362a56477ba | |
e3803369ea4ff81cd4df24748276a5a1 | |
776841f4309391522ebf0fa222f20e2f | |
e33d6b81f371e35479ba03a4d6b539c4 | |
92aa92abda62cbb0167304f2826c0307 | |
b56ba8513163e46778 | |
7807cea30c2b2eda2b239cb1b7787add | |
0e35c98b58e3e6a1b7d8dcf1baa256f1 | |
9f31155c1f2241e8d9d263c6692c336a | |
154cb2652ed11b8d094639a5a0d8d30c | |
4d666cd7babadcf0c9320658d40a3ab6 | |
48a63dd377ce59736f5e8ed411227824 | |
dee1bed7ee8e16e6a4402344480a8038 | |
59edfb4cb2dff392920646da1aecd15f | |
946ebf86b0c0f99f991b006a59d9f837 | |
02ab8edc9013ac0e3d76f5f97511348c | |
7f27b0eaaab409f45ed267327293a8e3 | |
e8e87257aeb5293d1c9b73fa8dca9481 | |
77ed2dbef73d3fdeef7c75496095ac4d | |
37a66d0595aa1914f5886eca4a59c48f | |
f9279518b72cfcffe79a609906b71670 | |
690072bf579c543626daf855dfbf3da0 | |
a5aca77f6e6db3634b75527c401ed535 | |
fc299336040e9dd93cbb9177b1fc3236 | |
15b4060cbc03ab36bb1250ce14908e5e | |
e70ff22ff332b27898ae84517dc099ec | |
183b420cb8c09b4809a252eacf2342ff | |
869e7e950cdf5a0246d178c836d7ae94 | |
4a11f4ba9f4490e6a231f19e88c47fb5 | |
2c6ad1f1df794249c4db825cd7a46013 | |
9258140e12ab8a2c5ce7794c39e8f138 | |
51bcf0dd873b3718e6e16168d7e763a8 | |
a07d7d509adefed5b00aeef9387d634f | |
963ab6a9b5d6d6edaf24db8915d5aef1 | |
880583a6b1a456bdb4bdb53183675b3a | |
32565b5372404f33a34a9ecc857e1283 | |
b91ebfde22abede33de8f3d12a54a53c | |
7c5873f0c2dc91302710e279b445dce5 | |
d86fcc6d3e8e539f830bd1c2c1e9ba9f | |
69793a1df414 | |
7805cba2092b82ceeb89060ae06c7ec2 | |
f5a654c86b20842b791c1a53a6093832 | |
0f6854f6aca247b925c630db5de0ed48 | |
9dca44a75b3cf48c14c200c5bf2ee271 | |
32d802905df15f4eda528cd7e4585f49 | |
5c22402505d619f7819baa1c54625106 | |
d5767d62db32e24408f94a2c4430db00 | |
8a7d41c627928ee9dcde629ca46637c1 | |
f728e3dfb4c001fc0f21480b7c6883a7 | |
50de82dc19132705f1c911f39ec674d3 | |
d4471cbeb7cd2b117c9796ff4e71aa3d | |
e3b1ae9bca932dc63eee46ac2bfc4aa1 | |
75787bb9f6b636e959a45f9007700d92 | |
3b7d1f7c35c6d41b3c0e76f146cc1191 | |
aa2ea9d34417cc9f99619f3a39b6d492 | |
4009e384d19ba15c6503c3a5969aa91c | |
aee12a17fc3529ba79cc4e6e9b93da54 | |
a4a97997c18fd6f6e7184ca357a8e5c1 | |
6333ffca3718d2685bfe296af5251858 | |
0108265dc8b712df75e1ff941b7ac89f | |
f938aab2fa2c6866d829d71cf7012e3d | |
7d1353c49fa6c7d9ff3ffa6ad5139007 | |
c2f2b34c80252c26fde65b97dd6b1eba | |
74a3011b6d16816519ec536e3724ac2b | |
de0f3dab539265a5a8e95cc9e1d8d37b | |
ba4b52cb61a1883aee0ec2bc03fe7c1d | |
adc41e28e270a851d073e85aa4e407b2 | |
3bd75fcd3a14ea4eb9b0c0bf96db704b | |
9202aa04062123a735510cb91222d7f9 | |
3e3bca1ab5f241d62f9b90bc9f90501a | |
ee270c291d8303f44f78189771806329 | |
57645e9775c92d94ec8adb64487cd977 | |
dd05c177ae638a12606b3e8e8f5dea2a | |
13bf0da769915ec079e2b92d46750f56 | |
1f22cba1ae0daddc08e3bdb72b9d4961 | |
f950f278e46ecb15db92bab954ed3b9b | |
e4a205c080343328f08b511bec79c558 | |
d7a7b6682d46e6b161230902fbfc5c12 | |
2214fcc6a29d151ea47763344c67234b | |
056b7fa0be25410cfd6dceb8899097b3 | |
22985e66afb75df905bf5fd415f5d937 | |
e104c655f29dd56ca7c09659ad70c172 | |
cb8ea9a47dd669523a1ce736a7fc923e | |
e8f07493bd3b5b0616968253e745015f | |
567628ebc060fa8f4a6edfaa49336e42 | |
6ddbff724b524ca2c419d88dd1856ea5 | |
4777fb6322a5c88e41096fd18a86457f | |
a0d1f81928a0e433d05f931f01cb16e5 | |
ba4bf466ccbac3ad792bb670d6cf7795 | |
442990c91bac74000a0b7cb353f7b7e6 | |
c99d1a6355811d8c06e678ccb6f3dacf | |
3dab88507709a76548ba3650456f1707 | |
1239a13e59e01d9b385b30ab00619b93 | |
e37976f9eac2d13319f1ff2b6084b6c1 | |
121518fad60c9c187e5d80372f593c55 | |
03bd7f1f71f3c66e75f9ad27176496c1 | |
9ed2a64d2d9a24034abcd2d3c97a13c8 | |
62795f61e56dae73e491a82390d97473 | |
642fb7d7a4ad8d7ebc12536c019cdfda | |
8ac0073dce61d4ce413bde9110b9db6a | |
780e65e444afea3f6d7b3be21f1c972e | |
46bae4aca4419ebfc6bf51228bd4d12b | |
ed0f2df853e4e3c6b902620040a07eb3 | |
5c9ba361e58a94517582103add0e84ff | |
876c0f3f375bac7cd86802914b0a8934 | |
488839b8340640c3083640af6ec4a7ac | |
532acb6f6279ced850d306a6a43514d0 | |
715510976116b8def75a97bc10c5d4a4 | |
cd257ff8faea1fc71202f73714b41347 | |
10897e205f356da117cb8722d744fc61 | |
f0df3a4dd54e6d2d67780d7e2ced2afd | |
d84fe9bbda88b842a2e8704e8889aff2 | |
4915038e563ccc1668a339ff5f04859a | |
16fcfc12593fd114c7ec46b9285fad60 | |
11dc36e7921f09a2523de0168b9c833f | |
14c2bf9caa3aabb73ab7b6d4ffbe401c | |
1ca056be4ddae4a2b5ff75df2b2d1003 | |
1fd36f47aaa9c6c3c57cc607bee6de7e | |
0e0d416ea0c368feb0317fbb94c09360 | |
d421886cbb4642d75788d4f6c1c7411e | |
e67b7850330f90c7f8db7a4d08228038 | |
effc2e0a9fd8757e5d149048840ef303 | |
6ddec318db3cb3bb78d078b8817c536b | |
081deace66df121e5e1485ea19cd41d6 | |
4fc5690ed4bc145bcc5cdeeabec9c037 | |
5135fc4d9f5de8f3514241d8f6bf7f66 | |
d2768630c9f7c2c22025955634767a1f | |
25a636b1d36370bdfc6983ca96c2a9d6 | |
7f27184d0bca459f966a6f890a023e4d | |
fd12e70fa1f909c57d97aa229da439a6 | |
9a7ce7e0d580ac537fa2ddc65b18d0b3 | |
db3f2309 | |
7807cea30c2b2eda2b239cf1b7787add | |
84f00cd68875511996a4e50545fcb39e | |
aec1dbe067c9b8c2976e199cc5fddd32 | |
dc07005b4dc48abc9e822cb1184b834b | |
8aa6505b5459fb3c32e8a63e5c0c1e9d | |
95216d36b8cc0808b14092a6911b0889 | |
bcb57d4d50e680f45b97be4db67dea74 | |
d8827a5d7b5a9e7b3b98b6c5bff8fed2 | |
ea4c91d8c917d54e2d00c1053acf09be | |
862cdcf2e916f3e768b1a5fe0150694a | |
6158133542a88b1fc57a1ccf313d3777 | |
70dbbe39a5ba4da93ce853bbb5376075 | |
936791115d56bd5eeccf558de85ba83e | |
d40632c9143780fdd3342f564b3e11aa | |
417efe6f94368ec522ba451521065d6e | |
e04c0b3bd6976c0b5d42f0786ce1dda6 | |
01c2199f7a109c75d7a1c62259a32f45 | |
fba90ce74b5da0daced0579a64c91b71 | |
983dbc10e860dc13298755d4089bb44a | |
03dafbd82faab6ad16b9dd57c26c04a2 | |
bc7be71f1f571f402faa52d30ed94128 | |
f30a00a1dcd5dbf772d27035f4fe7267 | |
523e15f123e28bb97e7a0b7750321f55 | |
4ff157d1b863e7375f356d2e66b35d08 | |
fa57191067833a49182955c199f2d6d2 | |
6c46a4147c8423a0e6b3d34516f17a65 | |
d6ebd543e051bb7a9e187e0a24e91959 | |
210eba033ab6e2239cc5351c0256647e | |
17bd5d51ce34080fbf317a2a7fb2dc46 | |
61ff95befa03935622a95d92ccb12441 | |
2cf35fb238c2d31f01ac5f7e8ec313ce | |
c5b87a5016984484526d6874e6270ae9 | |
100b6c4ee6f0a14ff0ea7d77d8142c04 | |
47f9716371604c'''.split() | |
payload1 = Enc().enc(b'\x05' + p8(14+16+16) + binascii.unhexlify('fffffffffffffffff9ffffffffff')) | |
# key2: 189410e31465117b000c14151d110066 | |
# skip: ['88c1946bbb65cdc61438f010d53262f9', '429daefb5846d4c2019cfee0f1118ba3', 'da7510bf94276eef5cc87362a56477ba', '02ab8edc9013ac0e3d76f5f97511348c', '183b420cb8c09b4809a252eacf2342ff', '715510976116b8def75a97bc10c5d4a4', '5135fc4d9f5de8f3514241d8f6bf7f66', 'd8827a5d7b5a9e7b3b98b6c5bff8fed2', 'd40632c9143780fdd3342f564b3e11aa', '417efe6f94368ec522ba451521065d6e'] | |
# payload1 = Enc().enc(b'\x05' + p8(14+16+16) + p8(0xdd)*14) | |
# key2: 1894103d1e941128007814bf08001186 | |
# cips: ['88c1946bbb65cdc61438f010d53262f9', '429daefb5846d4c2019cfee0f1118ba3', '02ab8edc9013ac0e3d76f5f97511348c', '5135fc4d9f5de8f3514241d8f6bf7f66', 'd8827a5d7b5a9e7b3b98b6c5bff8fed2', '417efe6f94368ec522ba451521065d6e'] | |
# skip: ['da7510bf94276eef5cc87362a56477ba', '183b420cb8c09b4809a252eacf2342ff', '715510976116b8def75a97bc10c5d4a4', 'd40632c9143780fdd3342f564b3e11aa'] | |
# payload1 = Enc().enc(b'\x05' + p8(14+16+16) + p8(0xff)*14) | |
# key2: 0a02864e50d0023e4a10e29602bf3b4e | |
# cips: ['da7510bf94276eef5cc87362a56477ba', '183b420cb8c09b4809a252eacf2342ff', '715510976116b8def75a97bc10c5d4a4', 'd40632c9143780fdd3342f564b3e11aa'] | |
def test(e, payload): | |
while True: | |
try: | |
p = remote('13.52.88.46', 50000) | |
e.i = 0 | |
# payload = payload1 + p8(x)*32 | |
p.send(payload) | |
a = p.recv() | |
p.close() | |
if a == b'\x78\x07': | |
return True | |
if a: | |
return False | |
except: | |
time.sleep(3) | |
def find_key2(): | |
# p.send(s1(1)) | |
e = Enc() | |
know = [] | |
# 跑一下哪些可能是key | |
for x in range(0x100): | |
# p = remote('13.52.88.46', 50000) | |
# e.i = 0 | |
payload = payload1 + p8(x)*32 | |
# p.send(payload) | |
# a = p.recv() | |
# p.close() | |
# if a == b'\x78\x07': | |
if test(e, payload): | |
know.append(x) | |
print(f'found: {know}') | |
padding = 0 | |
for i in range(0x100): | |
if i not in know: | |
padding = i | |
break | |
key = [] | |
for i in range(16): | |
for x in know: | |
# p = remote('13.52.88.46', 50000) | |
# e.i = 0 | |
payload = payload1 + p8(padding)*i + p8(x) + p8(padding)*(31-i) | |
# p.send(payload) | |
print(binascii.hexlify(bytes(key + [x]))) | |
# a = p.recv() | |
# p.close() | |
# if a == b'\x78\x07': | |
if test(e, payload): | |
# e.key += bytes([x]) | |
key.append(x) | |
break | |
print(binascii.hexlify(bytes(key))) | |
keymap = {'7805cba2092b82ceeb89060ae06c7ec2': b'a6f274e74b68d07f29332b7d9704327a', 'f5a654c86b20842b791c1a53a6093832': b'601b20cc8c937e8b0bf706e373d3dc66'} | |
with open('keys', 'r') as f: | |
keymap = eval(f.read()) | |
skip_list = [] | |
def find_key3(key2): | |
e = Enc(key2) | |
for cip in cips[]: | |
if cip in keymap: | |
continue | |
if len(cip) != 32: | |
continue | |
# 此时跑不出来,收集起来下次跑 | |
skip = False | |
for i in range(16): | |
if cip[i*2:i*2+2] == key2[i*2:i*2+2]: | |
skip_list.append(cip) | |
print(f'skip: {skip_list}') | |
skip = True | |
with open('skip', 'w') as f: | |
f.write(str(skip_list)) | |
if skip: | |
continue | |
pla = bytes([x^y for x, y in zip(binascii.unhexlify(cip), binascii.unhexlify(key2))]) | |
payload12 = e.enc(b'\x05' + p8(14+16+16) + b'\xff'*(14) + pla) | |
know = [] | |
# 跑一下哪些可能是key | |
for x in range(0x100): | |
# p = remote('13.52.88.46', 50000) | |
# e.i = 0 | |
payload = payload12 + p8(x)*16 | |
# p.send(payload) | |
# a = p.recv() | |
# p.close() | |
# if a == b'\x78\x07': | |
if test(e, payload): | |
know.append(x) | |
if len(know) == 16: | |
break | |
print(f'test: {x:02x} found: {know}') | |
print(f'found: {know}') | |
padding = 0 | |
for i in range(0x100): | |
if i not in know: | |
padding = i | |
break | |
key = [] | |
low = [] | |
for i in range(16): | |
for x in know: | |
payload = payload12 + p8(padding)*i + p8(x) + p8(padding)*(15-i) | |
print(binascii.hexlify(bytes(key + [x]))) | |
if test(e, payload): | |
key.append(x) | |
low.append(x) | |
know.pop(know.index(x)) | |
break | |
if x not in key: | |
for x in low: | |
payload = payload12 + p8(padding)*i + p8(x) + p8(padding)*(15-i) | |
print(binascii.hexlify(bytes(key + [x]))) | |
if test(e, payload): | |
key.append(x) | |
break | |
print(binascii.hexlify(bytes(key))) | |
keymap[cip] = binascii.hexlify(bytes(key)) | |
with open('keys', 'w') as f: | |
f.write(str(keymap)) | |
with open('keysre', 'r') as f: | |
if cip in f.read(): | |
return | |
def show(): | |
pla = ''.join([chr(x^y) for x,y in zip(binascii.unhexlify(cips[0]), binascii.unhexlify('7d07cba30c2a82cf2b2119e5ff2c2e8d'))]) | |
print(pla,end='') | |
for i in range(len(cips)): | |
cip = cips[i] | |
key = keymap.get(cip) | |
if not key: | |
print('='*16,end='') | |
continue | |
key = binascii.unhexlify(key) | |
cip = binascii.unhexlify(cips[i+1]) | |
pla = ''.join([chr(x^y) for x,y in zip(cip, key)]) | |
print(pla, end='') | |
show() | |
if __name__ == "__main__": | |
context.log_level='error' | |
context.timeout=5 | |
# find_key2() | |
find_key3('189410e31465117b000c14151d110066') | |
# key2: 0a02864e50d0023e4a10e29602bf3b4e | |
cips = ['da7510bf94276eef5cc87362a56477ba', '183b420cb8c09b4809a252eacf2342ff', '715510976116b8def75a97bc10c5d4a4', 'd40632c9143780fdd3342f564b3e11aa'] | |
payload1 = Enc().enc(b'\x05' + p8(14+16+16) + p8(0xff)*14) | |
find_key3('0a02864e50d0023e4a10e29602bf3b4e') | |
payload1 = Enc().enc(b'\x05' + p8(14+16+16) + p8(0xdd)*14) | |
# key2: 1894103d1e941128007814bf08001186 | |
cips = ['88c1946bbb65cdc61438f010d53262f9', '429daefb5846d4c2019cfee0f1118ba3', '02ab8edc9013ac0e3d76f5f97511348c', '5135fc4d9f5de8f3514241d8f6bf7f66', 'd8827a5d7b5a9e7b3b98b6c5bff8fed2', '417efe6f94368ec522ba451521065d6e'] | |
# skip: ['da7510bf94276eef5cc87362a56477ba', '183b420cb8c09b4809a252eacf2342ff', '715510976116b8def75a97bc10c5d4a4', 'd40632c9143780fdd3342f564b3e11aa'] | |
find_key3('0a02864e50d0023e4a10e29602bf3b4e') |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment