Customize Consent Preferences

We use cookies to help you navigate efficiently and perform certain functions. You will find detailed information about all cookies under each consent category below.

The cookies that are categorized as "Necessary" are stored on your browser as they are essential for enabling the basic functionalities of the site. ... 

Always Active

Necessary cookies are required to enable the basic features of this site, such as providing secure log-in or adjusting your consent preferences. These cookies do not store any personally identifiable data.

No cookies to display.

Functional cookies help perform certain functionalities like sharing the content of the website on social media platforms, collecting feedback, and other third-party features.

No cookies to display.

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics such as the number of visitors, bounce rate, traffic source, etc.

No cookies to display.

Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.

No cookies to display.

Advertisement cookies are used to provide visitors with customized advertisements based on the pages you visited previously and to analyze the effectiveness of the ad campaigns.

No cookies to display.

pwntools – XOR 反推

 XOR 操作的屬性,然後使用它們來撤消已加密標誌的操作鏈。當您以後攻擊真正的密碼系統時,對它的工作原理有一個直觀的了解將大有幫助,尤其是在分組密碼類別中。

當我們使用 XOR 運算符解決挑戰時,我們應該考慮四個主要屬性

交換律:A ⊕ B = B ⊕ A
結合律:A ⊕ (B ⊕ C) = (A ⊕ B) ⊕ C
等式:A ⊕ 0 = A
自逆:A ⊕ A = 0

讓我們分解一下。可交換意味著 XOR 運算的順序並不重要。關聯意味著可以無序地進行一系列操作(我們不需要擔心括號)。身份是 0,所以與 0 異或“什麼都不做”,最後與自身異或的東西返回零。

讓我們在行動中試試這個!下面是一系列輸出,其中三個隨機密鑰已與標誌進行異或運算。使用上述屬性在最後一行取消加密以獲取標誌。

KEY1 = a6c8b6733c9b22de7bc0253266a3867df55acde8635e19c73313
KEY2 ^ KEY1 = 37dcb292030faa90d07eec17e3b1c6d8daf94c35d4c9191a5e1e
KEY2 ^ KEY3 = c1545756687e7573db23aa1c3452a098b71a7fbf0fddddde5fc1
FLAG ^ KEY1 ^ KEY3 ^ KEY2 = 04ee9855208a2cd59091d04767ae47963170d1660df7f56f5faf

在對這些對象進行 XOR 運算之前,一定要從十六進制解碼為字節。如果你已經pwntools安裝,你有一個字節字符串的異或函數:from pwn import xor

解法

XOR 運算有一個很奇妙的特點:如果對一個值連續做兩次 XOR,會返回這個值本身。

所以只要求出key1,key2,key3 然後對所有xor就是答案了。

# KEY1 = a6c8b6733c9b22de7bc0253266a3867df55acde8635e19c73313
# KEY2 ^ KEY1 = 37dcb292030faa90d07eec17e3b1c6d8daf94c35d4c9191a5e1e
# KEY2 ^ KEY3 = c1545756687e7573db23aa1c3452a098b71a7fbf0fddddde5fc1
# FLAG ^ KEY1 ^ KEY3 ^ KEY2 = 04ee9855208a2cd59091d04767ae47963170d1660df7f56f5faf



key1 = "a6c8b6733c9b22de7bc0253266a3867df55acde8635e19c73313"
key2_key1 = "37dcb292030faa90d07eec17e3b1c6d8daf94c35d4c9191a5e1e"
key2_key3 = "c1545756687e7573db23aa1c3452a098b71a7fbf0fddddde5fc1"
flag_key1_key3_key2 = "04ee9855208a2cd59091d04767ae47963170d1660df7f56f5faf"

k1 = [o for o in bytes.fromhex(key1)]
k1_k2 = [o for o in bytes.fromhex(key2_key1)]
k2_k3 = [o for o in bytes.fromhex(key2_key3)]
f_k1_k3_k2 = [o for o in bytes.fromhex(flag_key1_key3_key2)]
k2 = [a^b for (a,b) in zip(k1,k1_k2)]
k3 = [a^b for (a,b) in zip(k2,k2_k3)]
flag = [a^b^c^d for (a,b,c,d) in zip(k1,k2,k3,f_k1_k3_k2)]
print("".join(chr(o) for o in flag))

另一種pwntools解法 更快!


from pwn import xor
flag = bytes.fromhex('0e0b213f26041e480b26217f27342e175d0e070a3c5b103e2526217f27342e175d0e077e263451150104')
print(xor(flag, 'crypto{'.encode())) # oh, it says 'myXORke+y...'
print(xor(flag, 'myXORkey'.encode())) # try this? yay, it works! sometimes simpler is better
Back To Top
error: 內容被保護 !!
Buy Me A Coffee
歡迎贊助 sectools.tw 讓這個網站更好~!