Problem: [柏鹭杯 2021]baby_python
思路
- 解题大致思路
pyinstxtractor-ng.exe反编译baby.exe,得到baby_core.pyc,用pycdc反编译得到源码
# Source Generated with Decompyle++
# File: baby_core.pyc (Python 3.7)
import hashlib
def md5(s = None):
m = hashlib.md5()
m.update(s)
return m.hexdigest().lower()
def main():
secret = input('secret: ')
if len(secret) != 48:
return None
if not None.isnumeric():
return None
values = None
for i in range(0, 48, 3):
values.append(int(secret[i:i + 3]))
co = [
[
158,
195,
205,
229,
213,
238,
211,
198,
190,
226,
135,
119,
145,
205,
113,
122],
[
234,
256,
185,
253,
244,
134,
102,
117,
190,
106,
131,
205,
198,
234,
162,
218],
[
164,
164,
209,
200,
168,
226,
189,
151,
253,
241,
232,
151,
193,
119,
226,
193],
[
213,
117,
151,
103,
249,
148,
103,
213,
218,
222,
104,
228,
100,
206,
218,
177],
[
217,
202,
126,
214,
195,
125,
144,
105,
152,
118,
167,
137,
171,
173,
206,
240],
[
160,
134,
131,
135,
186,
213,
146,
129,
125,
139,
174,
205,
177,
240,
194,
181],
[
183,
213,
127,
136,
136,
209,
199,
191,
150,
218,
160,
111,
191,
226,
154,
191],
[
247,
188,
210,
219,
179,
204,
155,
220,
215,
127,
225,
214,
195,
162,
214,
239],
[
108,
112,
104,
133,
178,
138,
110,
176,
232,
124,
193,
239,
131,
138,
161,
218],
[
140,
213,
142,
181,
179,
173,
203,
208,
184,
129,
129,
119,
122,
152,
186,
124],
[
105,
205,
124,
142,
175,
184,
234,
119,
195,
218,
141,
122,
202,
202,
190,
178],
[
183,
178,
256,
124,
241,
132,
163,
209,
204,
104,
175,
211,
196,
136,
158,
210],
[
224,
144,
189,
106,
177,
251,
206,
163,
167,
144,
208,
254,
117,
253,
100,
106],
[
251,
251,
136,
170,
145,
177,
175,
124,
193,
188,
193,
198,
208,
171,
151,
230],
[
143,
200,
143,
150,
243,
148,
136,
213,
161,
224,
170,
208,
185,
117,
189,
242],
[
234,
188,
226,
194,
248,
168,
250,
244,
166,
106,
113,
218,
209,
220,
158,
228]]
r = [
472214,
480121,
506256,
449505,
433390,
435414,
453899,
536361,
423332,
427624,
440268,
488759,
469049,
484574,
480266,
522818]
for i in range(16):
v = 0
for j in range(16):
v += co[i][j] * values[j]
if v != r[i]:
return None
print('flag{ISEC-%s}' % md5(secret.encode()))
编写逆向exp
EXP
- 具体攻击代码
import hashlib
from z3 import *
def md5(s = None):
m = hashlib.md5()
m.update(s)
return m.hexdigest().lower()
def main():
## secret = input('secret: ')
## if len(secret) != 48:
## return None
## if not None.isnumeric():
## return None
## values = None
## for i in range(0, 48, 3):
## values.append(int(secret[i:i + 3]))
co = [
[
158,
195,
205,
229,
213,
238,
211,
198,
190,
226,
135,
119,
145,
205,
113,
122],
[
234,
256,
185,
253,
244,
134,
102,
117,
190,
106,
131,
205,
198,
234,
162,
218],
[
164,
164,
209,
200,
168,
226,
189,
151,
253,
241,
232,
151,
193,
119,
226,
193],
[
213,
117,
151,
103,
249,
148,
103,
213,
218,
222,
104,
228,
100,
206,
218,
177],
[
217,
202,
126,
214,
195,
125,
144,
105,
152,
118,
167,
137,
171,
173,
206,
240],
[
160,
134,
131,
135,
186,
213,
146,
129,
125,
139,
174,
205,
177,
240,
194,
181],
[
183,
213,
127,
136,
136,
209,
199,
191,
150,
218,
160,
111,
191,
226,
154,
191],
[
247,
188,
210,
219,
179,
204,
155,
220,
215,
127,
225,
214,
195,
162,
214,
239],
[
108,
112,
104,
133,
178,
138,
110,
176,
232,
124,
193,
239,
131,
138,
161,
218],
[
140,
213,
142,
181,
179,
173,
203,
208,
184,
129,
129,
119,
122,
152,
186,
124],
[
105,
205,
124,
142,
175,
184,
234,
119,
195,
218,
141,
122,
202,
202,
190,
178],
[
183,
178,
256,
124,
241,
132,
163,
209,
204,
104,
175,
211,
196,
136,
158,
210],
[
224,
144,
189,
106,
177,
251,
206,
163,
167,
144,
208,
254,
117,
253,
100,
106],
[
251,
251,
136,
170,
145,
177,
175,
124,
193,
188,
193,
198,
208,
171,
151,
230],
[
143,
200,
143,
150,
243,
148,
136,
213,
161,
224,
170,
208,
185,
117,
189,
242],
[
234,
188,
226,
194,
248,
168,
250,
244,
166,
106,
113,
218,
209,
220,
158,
228]]
r = [
472214,
480121,
506256,
449505,
433390,
435414,
453899,
536361,
423332,
427624,
440268,
488759,
469049,
484574,
480266,
522818]
s = Solver()
values = [Int('v%d' % i) for i in range(16)]
for i in range(16):
v = 0
for j in range(16):
v += co[i][j] * values[j]
s.add(v == r[i])
if s.check()==sat:
m = s.model()
data_dict = {str(_):str(m[_]) for _ in m}
secret = ''.join(str(data_dict['v'+ str(i)]) for i in range(len(data_dict)))
print(md5(secret.encode()))
## for i in range(16):
## v = 0
## for j in range(16):
## v += co[i][j] * values[j]
##
## if v != r[i]:
## return None
##
## print('flag{ISEC-%s}' % md5(secret.encode()))
main()
总结
- 对该题的考点总结