BugkuCTF_PHP_encrypt_1(ISCCCTF)
1.题目:PHP_encrypt_1(ISCCCTF) 
文章图片
image.png 2.下载附件解压打开后是php代码
function encrypt($data,$key)
{
$key = md5('ISCC');
$x = 0;
$len = strlen($data);
$klen = strlen($key);
for ($i=0;
$i < $len;
$i++) {
if ($x == $klen)
{
$x = 0;
}
$char .= $key[$x];
$x+=1;
}
for ($i=0;
$i < $len;
$i++) {
$str .= chr((ord($data[$i]) + ord($char[$i])) % 128);
}
return base64_encode($str);
}
?>
【BugkuCTF_PHP_encrypt_1(ISCCCTF)】但是好像少了点啥啊
去网上搜了大佬们的writup发现函数返回值好像没了
output: fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA=好了有了返回值就可以逆向推导出传入的data是什么了(所以说这道题是我做的第一道逆向题,嗯就是这样?(ˉ﹃ˉ?)
3.用python重新写了一下这个函数,同时理解一下这个函数是干嘛的
# -*- coding: UTF-8 -*-
import base64
import hashlibdef eccrypt(data):
key = hashlib.md5('ISCC').hexdigest()
# print 'key-->', key
x = 0
char = ''
data_len = len(data)# data的长度
key_len = len(key)# key的长度
for i in range(data_len):
if x == key_len:
x = 0
char += key[x]
x += 1
# print 'char-->', char
flag = ''
for i in range(data_len):
flag += chr((ord(data[i]))+(ord(char[i])) % 128)
# print 'flag-->', flag
return base64.b64encode(flag)'''
def detrcy(b64):
int_b64 = []
b64de = base64.b64decode(b64)
# print 'b64de-->', b64de
# print 'len_b64de-->', len(b64de)
for i in range(len(b64de)):
int_b64.append(ord(b64de[i]))
# print 'int_b64-->',int_b64
# print 'len_int_b64-->', len(int_b64)
key = '729623334f0aa2784a1599fd374c120d729623'
int_key = []
for i in range(len(key)):
int_key.append(ord(key[i]))
# print 'int_key-->', int_key
flag = ''
for i in range(len(int_b64)):
flag += chr((int_b64[i]-int_key[i]+128)%128)
print flag
'''if __name__ == '__main__':
str_b64 = eccrypt('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
print 'str_b64-->', str_b64
# str_b64 = 'fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA='
# print 'str_b64-->', str_b64
# detrcy(str_b64)4.最后就是写解密方法了
# -*- coding: UTF-8 -*-
import base64
# import hashlib'''
def eccrypt(data):
key = hashlib.md5('ISCC').hexdigest()
# print 'key-->', key
x = 0
char = ''
data_len = len(data)# data的长度
key_len = len(key)# key的长度
for i in range(data_len):
if x == key_len:
x = 0
char += key[x]
x += 1
# print 'char-->', char
flag = ''
for i in range(data_len):
flag += chr((ord(data[i]))+(ord(char[i])) % 128)
# print 'flag-->', flag
return base64.b64encode(flag)
'''def detrcy(b64):
int_b64 = []
b64de = base64.b64decode(b64)
# print 'b64de-->', b64de
# print 'len_b64de-->', len(b64de)
for i in range(len(b64de)):
int_b64.append(ord(b64de[i]))
# print 'int_b64-->',int_b64
# print 'len_int_b64-->', len(int_b64)
key = '729623334f0aa2784a1599fd374c120d729623'# 知道data的长度后直接写出来
int_key = []
for i in range(len(key)):
int_key.append(ord(key[i]))
# print 'int_key-->', int_key
flag = ''
for i in range(len(int_b64)):
flag += chr((int_b64[i]-int_key[i]+128) % 128)
print flagif __name__ == '__main__':
# str_b64 = eccrypt('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
# print 'str_b64-->', str_b64
str_b64 = 'fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA='
# print 'str_b64-->', str_b64
detrcy(str_b64)(代码审计,密码学,web)
推荐阅读
- thinkphp|thinkphp 3.2 如何调用第三方类库
- CGI,FastCGI,PHP-CGI与PHP-FPM
- PHP开发-Mac搭建ThinkPHP5.0
- 依赖注入模块
- thinkphp3.2下实现阿里云视频点播实例(客户端JavaScript上传)
- php异常处理
- mac|mac php5.6+mongdb+Apache环境配置
- PHP简易规则引擎
- PHP|PHP 扩展开发检测清单(扩展开发必读)
- 算法系列教程(PHP演示)