BCTF结束了。。。有点可惜吧。。。那个窃密木马因为一个小错误到手的300分就这样没了。。。不然还能进前十的- -

题目 混沌密码锁: 100 描述

据 传说,米特尼克进任何门都是不需要钥匙的,无论是金锁银锁还是密码锁。使用伪造身份在BAT安全部门工作的时候,有一扇带着密码锁的大门吸引了他的注意。 门后面到底藏着什么呢?米特尼克决定一探究竟。 http://bctf.cn/files/downloads/passcode_396331980c645d184ff793fdcbcb739b.py 218.2.197.242:9991 218.2.197.243:9991 passcode_396331980c645d184ff793fdcbcb739b.py

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
#!/usr/bin/env python2
#\-\*\- coding:utf-8 -*-
import base64,binascii,zlib
import os,random
base = \[str(x) for x in range(10)\] + \[ chr(x) for x in range(ord('A'),ord('A')+6)\]
def abc(str):
    return sha.new(str).hexdigest()
def bin2dec(string_num):
    return str(int(string_num, 2))
def hex2dec(string_num):
    return str(int(string_num.upper(), 16))
def dec2bin(string_num):
    num = int(string_num)
    mid = \[\]
    while True:
        if num == 0: break
        num,rem = divmod(num, 2)
        mid.append(base\[rem\])
    return ''.join(\[str(x) for x in mid\[::-1\]\])
def dec2hex(string_num):
    num = int(string_num)
    mid = \[\]
    while True:
        if num == 0: break
        num,rem = divmod(num, 16)
        mid.append(base\[rem\])
    return ''.join(\[str(x) for x in mid\[::-1\]\])
def hex2bin(string_num):
    return dec2bin(hex2dec(string_num.upper()))
def bin2hex(string_num):
    return dec2hex(bin2dec(string_num))
def reverse(string):
    return string\[::-1\]
def read_key():
    os.system('cat flag')
def gb2312(string):
    return string.decode('gb2312')
answer='78864179732635837913920409948348078659913609452869425042153399132863903834522365250250429645163517228356622776978637910679538418927909881502654275707069810737850807610916192563069593664094605159740448670132065615956224727012954218390602806577537456281222826375'
func_names = \['fun1', 'fun2', 'fun3', 'fun4', 'fun5', 'fun6', 'fun7', 'fun8', 'fun9'\]
f={}
f\['fun1'\]=reverse
f\['fun2'\]=base64.b64decode
f\['fun3'\]=zlib.decompress
f\['fun4'\]=dec2hex
f\['fun5'\]=binascii.unhexlify
f\['fun6'\]=gb2312
f\['fun7'\]=bin2dec
f\['fun8'\]=hex2bin
f\['fun9'\]=hex2dec
def check_equal(a, b):
    if a == b:
        return True
    try:
        if int(a) == int(b):
            return True
    except:
        return False
    return False
def main():
    print "Welcome to Secure Passcode System"
    print "First, please choose function combination:"
    print "2"
    for in1 in range(1,10):
        for in2 in range(1,10):
            for in3 in range(1,10):
                for in4 in range(1,10):
                    in1=str(in1)
                    in2=str(in2)
                    in3=str(in3)
                    in4=str(in4)
    f1='fun'+in1\[:1\]
    f2='fun'+in2\[:1\]
    f3='fun'+in3\[:1\]
    f4='fun'+in4\[:1\]
    if f1 not in func\_names or f2 not in func\_names or f3 not in func\_names or f4 not in func\_names:
        print 'invalid function combination'
        exit()
    try:
        answer_hash = f\['fun6'\](f\['fun2'\](f\[f1\](f\[f2\](f\[f3\](f\[f4\](answer))))))
    except:
        print "Wrong function combination, you bad guy!"
        exit()
    if len(answer_hash) == 0:
        print 'You must be doing some little dirty trick! Stop it!'
        exit()
    usercode = raw_input('Your passcode: ')
    try:
        user_hash = f\['fun6'\](f\['fun2'\](f\[f1\](f\[f2\](f\[f3\](f\[f4\](usercode))))))
        if user\_hash == answer\_hash:
            if check_equal(answer, usercode):
                print "This passcode has been locked, please use the new onen"
            else:
                print "Welcome back! The door always open for you, your majesty! "
                read_key()
        else:
            print "Sorry, bad passcode.n"
    except:
        print "Sorry, bad passcode. Please try again."
if \_\_name\_\_ == '\_\_main\_\_':
    main()

这个程序就是我们自选f1-f4四种函数answer=’78864179732635837913920409948348078659913609452869425042153399132863903834522365250250429645163517228356622776978637910679538418927909881502654275707069810737850807610916192563069593664094605159740448670132065615956224727012954218390602806577537456281222826375’ answer_hash = f[‘fun6’](f[‘fun2’](f[f1](f[f2](f[f3](f[f4](answer)))))) 然后将我们输入的usercode做同样变化 user_hash = f[‘fun6’](f[‘fun2’](f[f1](f[f2](f[f3](f[f4](usercode)))))) 相等即可通过(usercode不能与answer相同)。 如果输入的函数组合不符要求会”Wrong function combination, you bad guy!” 首先用暴力的方法求出函数的组合,只有唯一一种 f1=’fun3’ f2=’fun5’ f3=’fun1’ f4=’fun4’ 下面是关键

经过f[f1](ff2))之后是一个BASE64的串,然后用fun2进行base64解密,再通过fun6生成hash f[f1](ff2)) = ‘ztLU2s/rxOPU2s/rztLKssO0tcTTw7nIuOi3rdLrv8+2qNK7teOyu7rD08O7ucrHsfDTw8HLv7TV4r7ku7C+wL3hy8DE4771tcPE2A==’ 解 码后ff1“>’fun2’ = ‘xcexd2xd4xdaxcfxebxc4xe3xd4xdaxcfxebxcexd2xcaxb2xc3xb4xb5xc4xd3xc3xb9xc8xb8xe8xb7xadxd2xebxbfxcfxb6xa8xd2xbbxb5xe3xb2xbbxbaxc3xd3xc3xbbxb9xcaxc7xb1xf0xd3xc3xc1xcbxbfxb4xd5xe2xbexe4xbbxb0xbexc0xbdxe1xcbxc0xc4xe3xbexf5xb5xc3xc4xd8’ 参考http://zh.wikipedia.org/zh-cn/Base64 Base64是一种基于64个可打印字符来表示二进制数据的表示方法。 转 换的时候,将三个byte的数据,先后放入一个24bit的缓冲区中,先来的byte占高位。数据不足3byte的话,于缓冲区中剩下的bit用0补足。 然后,每次取出6(因为2^6=64)个bit,按照其值选择 ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789+/中的字符作为编码 后的输出。不断进行,直到全部输入数据转换完成。 当原数据长度不是3的整数倍时, 如果最后剩下两个输入数据,在编码结果后加1个“=”;如果最后剩下一个输入数据,编码结果后加2个“=”;如果没有剩下任何数据,就什么都不要加,这样才可以保证资料还原的正确性。 回到题中,最后四位是‘2A==’,对应为110110 000000 000000 000000(不足的填0了) 因为两个’=’所以三个比特中的后两个是没有数据的,只有前8个bit对应数据x90 那如果是’2B==’呢,对应为110110 000001 000000 000000 后面的数据是无用的,有用的依然是前8bit 对应x90 so……‘ztLU2s/rxOPU2s /rztLKssO0tcTTw7nIuOi3rdLrv8+2qNK7teOyu7rD08O7ucrHsfDTw8HLv7TV4r7ku7C+wL3hy8DE4771tcPE2B==’ 通 过base64解码的结果和 ‘ztLU2s/rxOPU2s /rztLKssO0tcTTw7nIuOi3rdLrv8+2qNK7teOyu7rD08O7ucrHsfDTw8HLv7TV4r7ku7C+wL3hy8DE4771tcPE2A==’ 是 相同的 后面就简单啦,逆回去求usercode就好啦。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
#!/usr/bin/env python2
#\-\*\- coding:utf-8 -*-
#BCTF_Crypto100
#ROIS_yufan
import base64,binascii,zlib
import os,random
base = \[str(x) for x in range(10)\] + \[ chr(x) for x in range(ord('A'),ord('A')+6)\]
def abc(str):
    return sha.new(str).hexdigest()
def bin2dec(string_num):
    return str(int(string_num, 2))
def hex2dec(string_num):
    return str(int(string_num.upper(), 16))
def dec2bin(string_num):
    num = int(string_num)
    mid = \[\]
    while True:
        if num == 0: break
        num,rem = divmod(num, 2)
        mid.append(base\[rem\])
    return ''.join(\[str(x) for x in mid\[::-1\]\])
def dec2hex(string_num):
    num = int(string_num)
    mid = \[\]
    while True:
        if num == 0: break
        num,rem = divmod(num, 16)
        mid.append(base\[rem\])
    return ''.join(\[str(x) for x in mid\[::-1\]\])
def hex2bin(string_num):
    return dec2bin(hex2dec(string_num.upper()))
def bin2hex(string_num):
    return dec2hex(bin2dec(string_num))
def reverse(string):
    return string\[::-1\]
def read_key():
    os.system('cat flag')
def gb2312(string):
    return string.decode('gb2312')
answer='78864179732635837913920409948348078659913609452869425042153399132863903834522365250250429645163517228356622776978637910679538418927909881502654275707069810737850807610916192563069593664094605159740448670132065615956224727012954218390602806577537456281222826375'
func_names = \['fun1', 'fun2', 'fun3', 'fun4', 'fun5', 'fun6', 'fun7', 'fun8', 'fun9'\]
f={}
f\['fun1'\]=reverse
f\['fun2'\]=base64.b64decode
f\['fun3'\]=zlib.decompress
f\['fun4'\]=dec2hex
f\['fun5'\]=binascii.unhexlify
f\['fun6'\]=gb2312
f\['fun7'\]=bin2dec
f\['fun8'\]=hex2bin
f\['fun9'\]=hex2dec
def check_equal(a, b):
    if a == b:
        return True
    try:
        if int(a) == int(b):
            return True
    except:
        return False
    return False
def main():
    print "Welcome to Secure Passcode System"
    print "First, please choose function combination:"
\#                    in1=raw_input('f1: ')
    f1='fun'+'3'
\#                    in2=raw_input('f2: ')
    f2='fun'+'5'
\#                    in3=raw_input('f3: ')
    f3='fun'+'1'
\#                    in4=raw_input('f4: ')
    f4='fun'+'4'
    print f1, f2, f3, f4
    if f1 not in func\_names or f2 not in func\_names or f3 not in func\_names or f4 not in func\_names:
        print 'invalid function combination'
        exit()
    try:
        answer_hash = f\['fun6'\](f\['fun2'\](f\[f1\](f\[f2\](f\[f3\](f\[f4\](answer))))))
\#        print f\[f4\](answer)
\#        print f\[f3\](f\[f4\](answer))
\#        print repr(f\[f2\](f\[f3\](f\[f4\](answer))))
        print 'original base64', f\[f1\](f\[f2\](f\[f3\](f\[f4\](answer))))
        print 'original decoded base64', repr(f\['fun2'\](f\[f1\](f\[f2\](f\[f3\](f\[f4\](answer))))))
        print 'my base64 decoded', repr(base64.b64decode('ztLU2s/rxOPU2s/rztLKssO0tcTTw7nIuOi3rdLrv8+2qNK7teOyu7rD08O7ucrHsfDTw8HLv7TV4r7ku7C+wL3hy8DE4771tcPE2'+'B'+'=='))
    except:
        print "Wrong function combination, you bad guy!"
        exit()
    if len(answer_hash) == 0:
        print 'You must be doing some little dirty trick! Stop it!'
        exit()
    for c in range(ord('A'), ord('Q')):
        usercode = str (hex2dec(reverse(binascii.hexlify(zlib.compress('ztLU2s/rxOPU2s/rztLKssO0tcTTw7nIuOi3rdLrv8+2qNK7teOyu7rD08O7ucrHsfDTw8HLv7TV4r7ku7C+wL3hy8DE4771tcPE2'+chr(c)+'==')))))
        print usercode
        try:
\#            print f\[f4\](usercode)
\#            print f\[f3\](f\[f4\](usercode))
\#            print repr(f\[f2\](f\[f3\](f\[f4\](usercode))))
\#            print f\[f1\](f\[f2\](f\[f3\](f\[f4\](usercode))))
\#            print repr(f\['fun2'\](f\[f1\](f\[f2\](f\[f3\](f\[f4\](usercode))))))
            user_hash = f\['fun6'\](f\['fun2'\](f\[f1\](f\[f2\](f\[f3\](f\[f4\](usercode))))))
            if user\_hash == answer\_hash:
                if check_equal(answer, usercode):
                    print "This passcode has been locked, please use the new onen"
                else:
                    print "Welcome back! The door always open for you, your majesty! "
            else:
                print "Sorry, bad passcode.n"
        except:
            print "Sorry, bad passcode. Please try again."
if \_\_name\_\_ == '\_\_main\_\_':
    main()