RCTF2019 baby_AES 题解

阅读量291752

|评论5

|

发布时间 : 2019-05-22 16:15:23

 

前言

上周末玩了RCTF,可能为了防止冠军AK题目比*CTF难不少,下面是一道密码的题解。

 

题目内容

只给了一个 crypto.py:

#!/usr/bin/python3 -u

from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import padding
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
import binascii
import os
import sys
import copy
import struct

rcon = [ 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xd8, 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91 ]

S = [0x93 ,0x43 ,0x5D ,0x6E ,0x9E ,0xE6 ,0x02 ,0x3D ,0x48 ,0x65 ,0x9C ,0x39 ,0xEA ,0x1C ,0x5F ,0x01 ,0x26 ,0x9F ,0x2B ,0xEC ,0x6D ,0xB5 ,0x8D ,0x84 ,0x7F ,0xF1 ,0xC5 ,0x82 ,0x4B ,0x00 ,0x55 ,0xE3 ,0xC2 ,0xB2 ,0x63 ,0x8F ,0x41 ,0xA3 ,0x2F ,0x4D ,0x92 ,0x08 ,0x8B ,0x4F ,0x09 ,0x36 ,0xFC ,0x16 ,0x33 ,0x78 ,0x7B ,0x76 ,0x35 ,0x13 ,0x73 ,0x6B ,0x05 ,0xC3 ,0x2A ,0x7E ,0xEF ,0x37 ,0x22 ,0x4E ,0xED ,0xBA ,0x3A ,0x74 ,0xCC ,0xB1 ,0x2D ,0x59 ,0x10 ,0x23 ,0xA0 ,0x7D ,0xDA ,0x0F ,0x3F ,0x3E ,0xE9 ,0x4C ,0xD4 ,0x11 ,0x66 ,0xA1 ,0x90 ,0x28 ,0xFA ,0xC4 ,0xD5 ,0xDF ,0x60 ,0x18 ,0x32 ,0x68 ,0xF7 ,0x24 ,0x94 ,0x0B ,0xF9 ,0xF6 ,0x95 ,0xB9 ,0xCF ,0x9A ,0x29 ,0x25 ,0x31 ,0x7C ,0x64 ,0xCB ,0x5A ,0x0C ,0x77 ,0x71 ,0x12 ,0x30 ,0xCE ,0x86 ,0xA4 ,0x42 ,0x72 ,0x5E ,0xCA ,0xFB ,0x19 ,0x6A ,0x27 ,0xF0 ,0x8C ,0xF3 ,0x5B ,0xB8 ,0x45 ,0x56 ,0x50 ,0x61 ,0xBF ,0xC7 ,0xDC ,0xD7 ,0x67 ,0x75 ,0xB0 ,0x54 ,0xE2 ,0x15 ,0x57 ,0x1D ,0xBC ,0x1E ,0x2C ,0x80 ,0xF5 ,0x91 ,0xF4 ,0x2E ,0xC9 ,0xEE ,0xFD ,0xBB ,0xD3 ,0x44 ,0x34 ,0xE0 ,0xE8 ,0x07 ,0x5C ,0xB6 ,0x06 ,0x0D ,0x6F ,0xDB ,0xBD ,0xFF ,0xAB ,0x9D ,0x20 ,0xA8 ,0x88 ,0x6C ,0xC8 ,0xBE ,0xE5 ,0xA5 ,0x14 ,0xD0 ,0x8A ,0x1B ,0x9B ,0x40 ,0x81 ,0xE1 ,0x1A ,0xD1 ,0x89 ,0xD8 ,0xB4 ,0xFE ,0xC0 ,0xEB ,0x1F ,0x79 ,0x62 ,0xE7 ,0x98 ,0xAA ,0xF8 ,0x87 ,0x51 ,0xD6 ,0x70 ,0x58 ,0xA6 ,0x96 ,0x83 ,0xA9 ,0x85 ,0x8E ,0x99 ,0xA2 ,0x21 ,0x17 ,0x38 ,0xAD ,0x0E ,0x53 ,0x46 ,0xB3 ,0x49 ,0x69 ,0x52 ,0xD2 ,0x4A ,0xC1 ,0xB7 ,0xD9 ,0xC6 ,0x03 ,0xF2 ,0xA7 ,0xE4 ,0xAE ,0xAC ,0x04 ,0xDD ,0x3B ,0x47 ,0x3C ,0x0A ,0x97 ,0xAF ,0xDE ,0x7A ,0xCD ,]

T1 = [0xF467D4E9 ,0x2E6DD254 ,0xDE838832 ,0x5D3311CD ,0x9C02F7D0 ,0x71978453 ,0x10120E0A ,0xF3CEB3C9 ,0x763EE373 ,0x056020EA ,0x8C10F9DA ,0xD3EAAFDD ,0x11FBA06F ,0xE0FC546C ,0xCE918638 ,0x08090705 ,0x2B0DF2BE ,0x940BF0D5 ,0x4368D187 ,0x21CDB271 ,0x452818C2 ,0xDF6A2657 ,0x04898E8F ,0x4CC8B1A2 ,0xD5AA6698 ,0xC938E118 ,0x72B76DFC ,0x7CFEA3BC ,0x6E25EA7C ,0x00000000 ,0x9ECBB01A ,0x59BA9F42 ,0x4A8878E7 ,0xE755334C ,0x355632F4 ,0x149B8085 ,0x3E7FDC5E ,0x6FCC4419 ,0x634CCD93 ,0x5E13F862 ,0xFC6ED3EC ,0x40483828 ,0x34BF9C91 ,0x4E01F668 ,0x48413F2D ,0xAB9D82EE ,0xA15DC221 ,0xB0A6624E ,0x83B099FF ,0xED957383 ,0xF58E7A8C ,0x9DEB59B5 ,0xB3868BE1 ,0x988B795F ,0xB5C642A4 ,0x751E0ADC ,0x282D1B11 ,0x42817FE2 ,0x4B61D682 ,0xDDA3619D ,0x39D6BB7E ,0xA39485EB ,0x0B29EEAA ,0x4608F16D ,0x29C4B574 ,0xA71D0B64 ,0xCBF1A6D2 ,0x8DF957BF ,0x3AF652D1 ,0xFF4E3A43 ,0x735EC399 ,0xFEA79426 ,0x80907050 ,0x0320E9AF ,0x77D74D16 ,0xC5B86892 ,0x8A50309F ,0x78772D33 ,0xE3DCBDC3 ,0xEBD5BAC6 ,0x09E0A960 ,0x561AFF67 ,0xFA2E1AA9 ,0x88997755 ,0x1D7B29E5 ,0x7FDE4A13 ,0xEC7CDDE6 ,0x5B73D888 ,0x916BD03F ,0x7ABE6AF9 ,0xF2271DAC ,0xA27D2B8E ,0x2D4D3BFB ,0xC0D84878 ,0x8BB99EFA ,0x6D0503D3 ,0xF90EF306 ,0x3B1FFCB4 ,0xCC58C1F2 ,0x58533127 ,0x8970D930 ,0xF107F403 ,0xC451C6F7 ,0xBF06026B ,0x22ED5BDE ,0xBC26EBC4 ,0x537ADF8D ,0x3316FBB1 ,0x93A297F5 ,0xCDB16F97 ,0x0D6927EF ,0x02C947CA ,0xE6BC9D29 ,0x606C243C ,0x95E25EB0 ,0xA5D44CAE ,0x90827E5A ,0x9BAB90F0 ,0x2AE45CDB ,0x5CDABFA8 ,0x57F35102 ,0x2664D551 ,0xBDCF45A1 ,0xC698813D ,0x0AC040CF ,0x9962D73A ,0xC8D14F7D ,0x7D170DD9 ,0x2304F5BB ,0xC131E61D ,0x0C80898A ,0xD92AEF12 ,0xEEB59A2C ,0xB70F056E ,0x1E5BC04A ,0x86D0B915 ,0xB6E6AB0B ,0x25443CFE ,0x8F301075 ,0x62A563F6 ,0xBA662281 ,0xE23513A6 ,0x15722EE0 ,0x85F050BA ,0xF7473D46 ,0x96C2B71F ,0x51B39847 ,0xA8BD6B41 ,0x8ED9BE10 ,0xE8F55369 ,0x972B197A ,0xF0EE5A66 ,0x7B57C49C ,0x6CECADB6 ,0xE91CFD0C ,0xE475DAE3 ,0xE115FA09 ,0x6B45CA96 ,0x12DB49C0 ,0x31DFBC7B ,0xA954C524 ,0xAF140C61 ,0xC2110FB2 ,0x1652C74F ,0xBB8F8CE4 ,0x41A1964D ,0x01E9AE65 ,0x383F151B ,0xD68A8F37 ,0xC7712F58 ,0x3036121E ,0x68652339 ,0x553A16C8 ,0x8259379A ,0x9F221E7F ,0xB946CB2E ,0x2F847C31 ,0x8419FEDF ,0x1B3BE0A0 ,0x379F753E ,0x2CA4959E ,0x4D211FC7 ,0x1AD24EC5 ,0x87391770 ,0x698C8D5C ,0x5FFA5607 ,0xA0B46C44 ,0xDA0A06BD ,0x3CB69B94 ,0xD8C34177 ,0xB42FECC1 ,0x3676DB5B ,0x64E5AAB3 ,0x49A89148 ,0xD0CA4672 ,0xD20301B8 ,0x24AD929B ,0x9A423E95 ,0xD7632152 ,0xB14FCC2B ,0x5A9A76ED ,0x19F2A76A ,0xF8E75D63 ,0xE59C7486 ,0x3D5F35F1 ,0x799E8356 ,0xAC34E5CE ,0x278D7B34 ,0x8179DE35 ,0x54D3B8AD ,0xBEEFAC0E ,0xEA3C14A3 ,0xADDD4BAB ,0xF6AE9323 ,0x47E15F08 ,0xDC4ACFF8 ,0x74F7A4B9 ,0x3F96723B ,0x44C1B6A7 ,0x1C928780 ,0xA43DE2CB ,0x67C5431C ,0x1332E7A5 ,0xB8AF654B ,0xDBE3A8D8 ,0x1FB26E2F ,0x707E2A36 ,0xAEFDA204 ,0x0640C945 ,0xEF5C3449 ,0x7E37E476 ,0x650C04D6 ,0xA6F4A501 ,0xCA1808B7 ,0x662CED79 ,0x529371E8 ,0xCF78285D ,0x924B3990 ,0x6AAC64F3 ,0x181B090F ,0xD123E817 ,0x4FE8580D ,0x61858A59 ,0x07A96720 ,0x17BB692A ,0x20241C14 ,0xB26F2584 ,0xC3F8A1D7 ,0x0E49CE40 ,0xFBC7B4CC ,0x505A3622 ,0xD443C8FD ,0x0FA06025 ,0xAA742C8B ,0xFD877D89 ,0x32FF55D4 ,]
T2 = [0xE9F467D4 ,0x542E6DD2 ,0x32DE8388 ,0xCD5D3311 ,0xD09C02F7 ,0x53719784 ,0x0A10120E ,0xC9F3CEB3 ,0x73763EE3 ,0xEA056020 ,0xDA8C10F9 ,0xDDD3EAAF ,0x6F11FBA0 ,0x6CE0FC54 ,0x38CE9186 ,0x05080907 ,0xBE2B0DF2 ,0xD5940BF0 ,0x874368D1 ,0x7121CDB2 ,0xC2452818 ,0x57DF6A26 ,0x8F04898E ,0xA24CC8B1 ,0x98D5AA66 ,0x18C938E1 ,0xFC72B76D ,0xBC7CFEA3 ,0x7C6E25EA ,0x00000000 ,0x1A9ECBB0 ,0x4259BA9F ,0xE74A8878 ,0x4CE75533 ,0xF4355632 ,0x85149B80 ,0x5E3E7FDC ,0x196FCC44 ,0x93634CCD ,0x625E13F8 ,0xECFC6ED3 ,0x28404838 ,0x9134BF9C ,0x684E01F6 ,0x2D48413F ,0xEEAB9D82 ,0x21A15DC2 ,0x4EB0A662 ,0xFF83B099 ,0x83ED9573 ,0x8CF58E7A ,0xB59DEB59 ,0xE1B3868B ,0x5F988B79 ,0xA4B5C642 ,0xDC751E0A ,0x11282D1B ,0xE242817F ,0x824B61D6 ,0x9DDDA361 ,0x7E39D6BB ,0xEBA39485 ,0xAA0B29EE ,0x6D4608F1 ,0x7429C4B5 ,0x64A71D0B ,0xD2CBF1A6 ,0xBF8DF957 ,0xD13AF652 ,0x43FF4E3A ,0x99735EC3 ,0x26FEA794 ,0x50809070 ,0xAF0320E9 ,0x1677D74D ,0x92C5B868 ,0x9F8A5030 ,0x3378772D ,0xC3E3DCBD ,0xC6EBD5BA ,0x6009E0A9 ,0x67561AFF ,0xA9FA2E1A ,0x55889977 ,0xE51D7B29 ,0x137FDE4A ,0xE6EC7CDD ,0x885B73D8 ,0x3F916BD0 ,0xF97ABE6A ,0xACF2271D ,0x8EA27D2B ,0xFB2D4D3B ,0x78C0D848 ,0xFA8BB99E ,0xD36D0503 ,0x06F90EF3 ,0xB43B1FFC ,0xF2CC58C1 ,0x27585331 ,0x308970D9 ,0x03F107F4 ,0xF7C451C6 ,0x6BBF0602 ,0xDE22ED5B ,0xC4BC26EB ,0x8D537ADF ,0xB13316FB ,0xF593A297 ,0x97CDB16F ,0xEF0D6927 ,0xCA02C947 ,0x29E6BC9D ,0x3C606C24 ,0xB095E25E ,0xAEA5D44C ,0x5A90827E ,0xF09BAB90 ,0xDB2AE45C ,0xA85CDABF ,0x0257F351 ,0x512664D5 ,0xA1BDCF45 ,0x3DC69881 ,0xCF0AC040 ,0x3A9962D7 ,0x7DC8D14F ,0xD97D170D ,0xBB2304F5 ,0x1DC131E6 ,0x8A0C8089 ,0x12D92AEF ,0x2CEEB59A ,0x6EB70F05 ,0x4A1E5BC0 ,0x1586D0B9 ,0x0BB6E6AB ,0xFE25443C ,0x758F3010 ,0xF662A563 ,0x81BA6622 ,0xA6E23513 ,0xE015722E ,0xBA85F050 ,0x46F7473D ,0x1F96C2B7 ,0x4751B398 ,0x41A8BD6B ,0x108ED9BE ,0x69E8F553 ,0x7A972B19 ,0x66F0EE5A ,0x9C7B57C4 ,0xB66CECAD ,0x0CE91CFD ,0xE3E475DA ,0x09E115FA ,0x966B45CA ,0xC012DB49 ,0x7B31DFBC ,0x24A954C5 ,0x61AF140C ,0xB2C2110F ,0x4F1652C7 ,0xE4BB8F8C ,0x4D41A196 ,0x6501E9AE ,0x1B383F15 ,0x37D68A8F ,0x58C7712F ,0x1E303612 ,0x39686523 ,0xC8553A16 ,0x9A825937 ,0x7F9F221E ,0x2EB946CB ,0x312F847C ,0xDF8419FE ,0xA01B3BE0 ,0x3E379F75 ,0x9E2CA495 ,0xC74D211F ,0xC51AD24E ,0x70873917 ,0x5C698C8D ,0x075FFA56 ,0x44A0B46C ,0xBDDA0A06 ,0x943CB69B ,0x77D8C341 ,0xC1B42FEC ,0x5B3676DB ,0xB364E5AA ,0x4849A891 ,0x72D0CA46 ,0xB8D20301 ,0x9B24AD92 ,0x959A423E ,0x52D76321 ,0x2BB14FCC ,0xED5A9A76 ,0x6A19F2A7 ,0x63F8E75D ,0x86E59C74 ,0xF13D5F35 ,0x56799E83 ,0xCEAC34E5 ,0x34278D7B ,0x358179DE ,0xAD54D3B8 ,0x0EBEEFAC ,0xA3EA3C14 ,0xABADDD4B ,0x23F6AE93 ,0x0847E15F ,0xF8DC4ACF ,0xB974F7A4 ,0x3B3F9672 ,0xA744C1B6 ,0x801C9287 ,0xCBA43DE2 ,0x1C67C543 ,0xA51332E7 ,0x4BB8AF65 ,0xD8DBE3A8 ,0x2F1FB26E ,0x36707E2A ,0x04AEFDA2 ,0x450640C9 ,0x49EF5C34 ,0x767E37E4 ,0xD6650C04 ,0x01A6F4A5 ,0xB7CA1808 ,0x79662CED ,0xE8529371 ,0x5DCF7828 ,0x90924B39 ,0xF36AAC64 ,0x0F181B09 ,0x17D123E8 ,0x0D4FE858 ,0x5961858A ,0x2007A967 ,0x2A17BB69 ,0x1420241C ,0x84B26F25 ,0xD7C3F8A1 ,0x400E49CE ,0xCCFBC7B4 ,0x22505A36 ,0xFDD443C8 ,0x250FA060 ,0x8BAA742C ,0x89FD877D ,0xD432FF55 ,]
T3 = [0xD4E9F467 ,0xD2542E6D ,0x8832DE83 ,0x11CD5D33 ,0xF7D09C02 ,0x84537197 ,0x0E0A1012 ,0xB3C9F3CE ,0xE373763E ,0x20EA0560 ,0xF9DA8C10 ,0xAFDDD3EA ,0xA06F11FB ,0x546CE0FC ,0x8638CE91 ,0x07050809 ,0xF2BE2B0D ,0xF0D5940B ,0xD1874368 ,0xB27121CD ,0x18C24528 ,0x2657DF6A ,0x8E8F0489 ,0xB1A24CC8 ,0x6698D5AA ,0xE118C938 ,0x6DFC72B7 ,0xA3BC7CFE ,0xEA7C6E25 ,0x00000000 ,0xB01A9ECB ,0x9F4259BA ,0x78E74A88 ,0x334CE755 ,0x32F43556 ,0x8085149B ,0xDC5E3E7F ,0x44196FCC ,0xCD93634C ,0xF8625E13 ,0xD3ECFC6E ,0x38284048 ,0x9C9134BF ,0xF6684E01 ,0x3F2D4841 ,0x82EEAB9D ,0xC221A15D ,0x624EB0A6 ,0x99FF83B0 ,0x7383ED95 ,0x7A8CF58E ,0x59B59DEB ,0x8BE1B386 ,0x795F988B ,0x42A4B5C6 ,0x0ADC751E ,0x1B11282D ,0x7FE24281 ,0xD6824B61 ,0x619DDDA3 ,0xBB7E39D6 ,0x85EBA394 ,0xEEAA0B29 ,0xF16D4608 ,0xB57429C4 ,0x0B64A71D ,0xA6D2CBF1 ,0x57BF8DF9 ,0x52D13AF6 ,0x3A43FF4E ,0xC399735E ,0x9426FEA7 ,0x70508090 ,0xE9AF0320 ,0x4D1677D7 ,0x6892C5B8 ,0x309F8A50 ,0x2D337877 ,0xBDC3E3DC ,0xBAC6EBD5 ,0xA96009E0 ,0xFF67561A ,0x1AA9FA2E ,0x77558899 ,0x29E51D7B ,0x4A137FDE ,0xDDE6EC7C ,0xD8885B73 ,0xD03F916B ,0x6AF97ABE ,0x1DACF227 ,0x2B8EA27D ,0x3BFB2D4D ,0x4878C0D8 ,0x9EFA8BB9 ,0x03D36D05 ,0xF306F90E ,0xFCB43B1F ,0xC1F2CC58 ,0x31275853 ,0xD9308970 ,0xF403F107 ,0xC6F7C451 ,0x026BBF06 ,0x5BDE22ED ,0xEBC4BC26 ,0xDF8D537A ,0xFBB13316 ,0x97F593A2 ,0x6F97CDB1 ,0x27EF0D69 ,0x47CA02C9 ,0x9D29E6BC ,0x243C606C ,0x5EB095E2 ,0x4CAEA5D4 ,0x7E5A9082 ,0x90F09BAB ,0x5CDB2AE4 ,0xBFA85CDA ,0x510257F3 ,0xD5512664 ,0x45A1BDCF ,0x813DC698 ,0x40CF0AC0 ,0xD73A9962 ,0x4F7DC8D1 ,0x0DD97D17 ,0xF5BB2304 ,0xE61DC131 ,0x898A0C80 ,0xEF12D92A ,0x9A2CEEB5 ,0x056EB70F ,0xC04A1E5B ,0xB91586D0 ,0xAB0BB6E6 ,0x3CFE2544 ,0x10758F30 ,0x63F662A5 ,0x2281BA66 ,0x13A6E235 ,0x2EE01572 ,0x50BA85F0 ,0x3D46F747 ,0xB71F96C2 ,0x984751B3 ,0x6B41A8BD ,0xBE108ED9 ,0x5369E8F5 ,0x197A972B ,0x5A66F0EE ,0xC49C7B57 ,0xADB66CEC ,0xFD0CE91C ,0xDAE3E475 ,0xFA09E115 ,0xCA966B45 ,0x49C012DB ,0xBC7B31DF ,0xC524A954 ,0x0C61AF14 ,0x0FB2C211 ,0xC74F1652 ,0x8CE4BB8F ,0x964D41A1 ,0xAE6501E9 ,0x151B383F ,0x8F37D68A ,0x2F58C771 ,0x121E3036 ,0x23396865 ,0x16C8553A ,0x379A8259 ,0x1E7F9F22 ,0xCB2EB946 ,0x7C312F84 ,0xFEDF8419 ,0xE0A01B3B ,0x753E379F ,0x959E2CA4 ,0x1FC74D21 ,0x4EC51AD2 ,0x17708739 ,0x8D5C698C ,0x56075FFA ,0x6C44A0B4 ,0x06BDDA0A ,0x9B943CB6 ,0x4177D8C3 ,0xECC1B42F ,0xDB5B3676 ,0xAAB364E5 ,0x914849A8 ,0x4672D0CA ,0x01B8D203 ,0x929B24AD ,0x3E959A42 ,0x2152D763 ,0xCC2BB14F ,0x76ED5A9A ,0xA76A19F2 ,0x5D63F8E7 ,0x7486E59C ,0x35F13D5F ,0x8356799E ,0xE5CEAC34 ,0x7B34278D ,0xDE358179 ,0xB8AD54D3 ,0xAC0EBEEF ,0x14A3EA3C ,0x4BABADDD ,0x9323F6AE ,0x5F0847E1 ,0xCFF8DC4A ,0xA4B974F7 ,0x723B3F96 ,0xB6A744C1 ,0x87801C92 ,0xE2CBA43D ,0x431C67C5 ,0xE7A51332 ,0x654BB8AF ,0xA8D8DBE3 ,0x6E2F1FB2 ,0x2A36707E ,0xA204AEFD ,0xC9450640 ,0x3449EF5C ,0xE4767E37 ,0x04D6650C ,0xA501A6F4 ,0x08B7CA18 ,0xED79662C ,0x71E85293 ,0x285DCF78 ,0x3990924B ,0x64F36AAC ,0x090F181B ,0xE817D123 ,0x580D4FE8 ,0x8A596185 ,0x672007A9 ,0x692A17BB ,0x1C142024 ,0x2584B26F ,0xA1D7C3F8 ,0xCE400E49 ,0xB4CCFBC7 ,0x3622505A ,0xC8FDD443 ,0x60250FA0 ,0x2C8BAA74 ,0x7D89FD87 ,0x55D432FF ,]
T4 = [0x67D4E9F4 ,0x6DD2542E ,0x838832DE ,0x3311CD5D ,0x02F7D09C ,0x97845371 ,0x120E0A10 ,0xCEB3C9F3 ,0x3EE37376 ,0x6020EA05 ,0x10F9DA8C ,0xEAAFDDD3 ,0xFBA06F11 ,0xFC546CE0 ,0x918638CE ,0x09070508 ,0x0DF2BE2B ,0x0BF0D594 ,0x68D18743 ,0xCDB27121 ,0x2818C245 ,0x6A2657DF ,0x898E8F04 ,0xC8B1A24C ,0xAA6698D5 ,0x38E118C9 ,0xB76DFC72 ,0xFEA3BC7C ,0x25EA7C6E ,0x00000000 ,0xCBB01A9E ,0xBA9F4259 ,0x8878E74A ,0x55334CE7 ,0x5632F435 ,0x9B808514 ,0x7FDC5E3E ,0xCC44196F ,0x4CCD9363 ,0x13F8625E ,0x6ED3ECFC ,0x48382840 ,0xBF9C9134 ,0x01F6684E ,0x413F2D48 ,0x9D82EEAB ,0x5DC221A1 ,0xA6624EB0 ,0xB099FF83 ,0x957383ED ,0x8E7A8CF5 ,0xEB59B59D ,0x868BE1B3 ,0x8B795F98 ,0xC642A4B5 ,0x1E0ADC75 ,0x2D1B1128 ,0x817FE242 ,0x61D6824B ,0xA3619DDD ,0xD6BB7E39 ,0x9485EBA3 ,0x29EEAA0B ,0x08F16D46 ,0xC4B57429 ,0x1D0B64A7 ,0xF1A6D2CB ,0xF957BF8D ,0xF652D13A ,0x4E3A43FF ,0x5EC39973 ,0xA79426FE ,0x90705080 ,0x20E9AF03 ,0xD74D1677 ,0xB86892C5 ,0x50309F8A ,0x772D3378 ,0xDCBDC3E3 ,0xD5BAC6EB ,0xE0A96009 ,0x1AFF6756 ,0x2E1AA9FA ,0x99775588 ,0x7B29E51D ,0xDE4A137F ,0x7CDDE6EC ,0x73D8885B ,0x6BD03F91 ,0xBE6AF97A ,0x271DACF2 ,0x7D2B8EA2 ,0x4D3BFB2D ,0xD84878C0 ,0xB99EFA8B ,0x0503D36D ,0x0EF306F9 ,0x1FFCB43B ,0x58C1F2CC ,0x53312758 ,0x70D93089 ,0x07F403F1 ,0x51C6F7C4 ,0x06026BBF ,0xED5BDE22 ,0x26EBC4BC ,0x7ADF8D53 ,0x16FBB133 ,0xA297F593 ,0xB16F97CD ,0x6927EF0D ,0xC947CA02 ,0xBC9D29E6 ,0x6C243C60 ,0xE25EB095 ,0xD44CAEA5 ,0x827E5A90 ,0xAB90F09B ,0xE45CDB2A ,0xDABFA85C ,0xF3510257 ,0x64D55126 ,0xCF45A1BD ,0x98813DC6 ,0xC040CF0A ,0x62D73A99 ,0xD14F7DC8 ,0x170DD97D ,0x04F5BB23 ,0x31E61DC1 ,0x80898A0C ,0x2AEF12D9 ,0xB59A2CEE ,0x0F056EB7 ,0x5BC04A1E ,0xD0B91586 ,0xE6AB0BB6 ,0x443CFE25 ,0x3010758F ,0xA563F662 ,0x662281BA ,0x3513A6E2 ,0x722EE015 ,0xF050BA85 ,0x473D46F7 ,0xC2B71F96 ,0xB3984751 ,0xBD6B41A8 ,0xD9BE108E ,0xF55369E8 ,0x2B197A97 ,0xEE5A66F0 ,0x57C49C7B ,0xECADB66C ,0x1CFD0CE9 ,0x75DAE3E4 ,0x15FA09E1 ,0x45CA966B ,0xDB49C012 ,0xDFBC7B31 ,0x54C524A9 ,0x140C61AF ,0x110FB2C2 ,0x52C74F16 ,0x8F8CE4BB ,0xA1964D41 ,0xE9AE6501 ,0x3F151B38 ,0x8A8F37D6 ,0x712F58C7 ,0x36121E30 ,0x65233968 ,0x3A16C855 ,0x59379A82 ,0x221E7F9F ,0x46CB2EB9 ,0x847C312F ,0x19FEDF84 ,0x3BE0A01B ,0x9F753E37 ,0xA4959E2C ,0x211FC74D ,0xD24EC51A ,0x39177087 ,0x8C8D5C69 ,0xFA56075F ,0xB46C44A0 ,0x0A06BDDA ,0xB69B943C ,0xC34177D8 ,0x2FECC1B4 ,0x76DB5B36 ,0xE5AAB364 ,0xA8914849 ,0xCA4672D0 ,0x0301B8D2 ,0xAD929B24 ,0x423E959A ,0x632152D7 ,0x4FCC2BB1 ,0x9A76ED5A ,0xF2A76A19 ,0xE75D63F8 ,0x9C7486E5 ,0x5F35F13D ,0x9E835679 ,0x34E5CEAC ,0x8D7B3427 ,0x79DE3581 ,0xD3B8AD54 ,0xEFAC0EBE ,0x3C14A3EA ,0xDD4BABAD ,0xAE9323F6 ,0xE15F0847 ,0x4ACFF8DC ,0xF7A4B974 ,0x96723B3F ,0xC1B6A744 ,0x9287801C ,0x3DE2CBA4 ,0xC5431C67 ,0x32E7A513 ,0xAF654BB8 ,0xE3A8D8DB ,0xB26E2F1F ,0x7E2A3670 ,0xFDA204AE ,0x40C94506 ,0x5C3449EF ,0x37E4767E ,0x0C04D665 ,0xF4A501A6 ,0x1808B7CA ,0x2CED7966 ,0x9371E852 ,0x78285DCF ,0x4B399092 ,0xAC64F36A ,0x1B090F18 ,0x23E817D1 ,0xE8580D4F ,0x858A5961 ,0xA9672007 ,0xBB692A17 ,0x241C1420 ,0x6F2584B2 ,0xF8A1D7C3 ,0x49CE400E ,0xC7B4CCFB ,0x5A362250 ,0x43C8FDD4 ,0xA060250F ,0x742C8BAA ,0x877D89FD ,0xFF55D432 ,]

def init(key):

    rounds = 10

    _Ke = [[0] * 4 for i in range(rounds + 1)]

    round_key_count = (rounds + 1) * 4
    KC = len(key) // 4

    tk = [ struct.unpack('>i', key[i:i + 4])[0] for i in range(0, len(key), 4) ]

    for i in range(0, KC):
        _Ke[i // 4][i % 4] = tk[i]

    rconpointer = 0
    t = KC
    while t < round_key_count:

        tt = tk[KC - 1]
        tk[0] ^= ((S[(tt >> 16) & 0xFF] << 24) ^
                  (S[(tt >>  8) & 0xFF] << 16) ^
                  (S[ tt        & 0xFF] <<  8) ^
                   S[(tt >> 24) & 0xFF]        ^
                  (rcon[rconpointer] << 24))
        rconpointer += 1

        for i in range(1, KC):
            tk[i] ^= tk[i - 1]

        j = 0
        while j < KC and t < round_key_count:
            _Ke[t // 4][t % 4] = tk[j]
            j += 1
            t += 1
    return _Ke

def encrypt(plaintext, _Ke):

    rounds = len(_Ke) - 1

    (s1, s2, s3) = [1, 2, 3]
    a = [0, 0, 0, 0]

    t = [(struct.unpack('>i', plaintext[4 * i:4 * i + 4])[0] ^ _Ke[0][i]) for i in range(0, 4)]
    sign = 0
    for r in range(1, rounds):
        for i in range(0, 4):
            if sign<2:
                sign += 1
            a[i] = (T1[(t[ i          ] >> 24) & 0xFF] ^
                    T2[(t[(i + s1) % 4] >> 16) & 0xFF] ^
                    T3[(t[(i + s2) % 4] >>  8) & 0xFF] ^
                    T4[ t[(i + s3) % 4]        & 0xFF] ^
                    _Ke[r][i])
        t = copy.copy(a)

    result = [ ]
    for i in range(0, 4):
        tt = _Ke[rounds][i]
        result.append((S[(t[ i           ] >> 24) & 0xFF] ^ (tt >> 24)) & 0xFF)
        result.append((S[(t[(i + s1) % 4] >> 16) & 0xFF] ^ (tt >> 16)) & 0xFF)
        result.append((S[(t[(i + s2) % 4] >>  8) & 0xFF] ^ (tt >>  8)) & 0xFF)
        result.append((S[ t[(i + s3) % 4]        & 0xFF] ^  tt       ) & 0xFF)

    return bytes(result)


def main():
    K = b"x01x23x45x67x89xabxcdxefxfexdcxbax98x76x54x32x10"
    Ke = init(K)

    backend = default_backend()
    key = os.urandom(16)
    iv = encrypt(key, Ke)
    cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=backend)
    decryptor = cipher.decryptor()
    try:
        print("Input a hexstr to decrypt:")
        data = sys.stdin.readline().strip()
        ciphertext = binascii.unhexlify(data)
        plaintext = decryptor.update(ciphertext) + decryptor.finalize()
        print("Decrypted result:")
        print(binascii.hexlify(plaintext).decode())
    except Exception as e:
        pass

    with open("flag", 'rb') as f:
        flag = f.read()
        padder = padding.PKCS7(128).padder()
        flag_padded = padder.update(flag) + padder.finalize()
        encryptor = cipher.encryptor()
        flag_encrypted = encryptor.update(flag_padded) + encryptor.finalize()
        print("Your encrypted flag is:")
        print(binascii.hexlify(flag_encrypted).decode())

if __name__ == '__main__':
    main()

 

题目分析

题目流程如下:

  1. 每次连接随机生成 key 并使用自己实现的加密函数加密得到 iv;
  2. 使用上面的 key ,iv 生成AES对象,加密模式使用 CBC
  3. 接受一个用户输入,返回AES解密结果;
  4. 提供 flag 加密的结果。

也就是说,只要我们得到 ivkey,即可得到 flag

其中获取 iv 是很常见的基本操作,所以这个题的主要工作量在于分析 encrypt 函数。

目测 encrypt 函数和AES查表实现流程相似,当然如果之前不了解AES查表实现通过题目名也能找到。

 

解题过程

获取iv

获取 iv 是一个相对简单的工作,注意到对 CBC 模式,有:

  • m[0] = dec(c[0]) xor iv
  • m[i] = dec(c[i]) xor c[i-1]

那么我们可以构造:

  • c[0] = c[1] = cipher

则:

  • m[0] = dec(cipher) xor iv
  • m[1] = dec(cipher) xor cipher

可以推出:

  • iv = cipher xor m[1] xor m[0]

代码实现:

from pwn import *
from Crypto.Util.number import *

r = remote("207.148.68.109",20002)
r.recv()
cipher = "00"*16
r.sendline(cipher*2)
r.recv()
# Out :Decrypted result: d34c206fb1906727f10155a953d5978d9d876914c0ab817a736ab80663f34e27
#      Your encrypted flag is:
#      7f015db80352a325cacdac4bb25d8ac9494e468fb0aa514d6c916df1b8a0fafe46e9c3aad6fca5f109c414f2f99ffb81
m = "d34c206fb1906727f10155a953d5978d9d876914c0ab817a736ab80663f34e27"
m0,m1 = m[:32],m[32:]
iv = long_to_bytes(bytes_to_long(cipher.decode('hex')) ^ bytes_to_long(m1.decode('hex')) ^ bytes_to_long(m0.decode('hex')))
# In : iv
# Out: 'NxcbI{q;xe6]x82kxedxaf0&xd9xaa'

分析加密函数

上一步中我们已经得到了 ivkey = decrypt(iv),因此我们需要分析加密函数。

AES查表实现:

因为AES的临界时间函数(字节代换, ShiftRow, MixColumn)都作用于单个字节,最直接的AES实现方式比较适合8位处理器,而在现代32位或64位处理器中这种实现方式是非常低效的。

AES查表实现由AES(Rijndael)的设计者提出,其核心思想是创建四个256*32bits的查找表,通过16次查表完成每轮操作,在消耗一定内存的情况下有效提高AES吞吐量(相比直接的软件实现)。

观察题目给的函数特征,发现和AES查表实现流程相似。想起以前读过一个查表实现AES的源码1, 对比后发现过程基本一致。但是代码中的Sbox,Tbox均不同。

关于Sbox,这个不是问题,因为我们依然可以通过Sbox[Sbox_inv[i]] == i找到Sbox_inv;

关于Tbox,找到一篇讲解AES查表实现的文章2,里面的内容不再赘述,比较关键的一点在于 Tbox 的构造,以T1为例,注意运算是在GF(2^8)上进行的:

  • T1[i] =[2, 1, 1, 3]^T * S[i]

但是验证后发现题目代码中的的T盒并不满足上面的式子,注意上面式中S[i]左乘的向量是列混淆矩阵的一列,猜想可能是这个算法对列混淆矩阵进行了更换。

通过尝试发现列混淆矩阵被更换为:

 8 5 7 9
 9 8 5 7
 7 9 8 5
 5 7 9 8

对加密函数的分析,我们得到以下结论:

  1. 函数流程与AES相同;
  2. 函数修改了AES中的S盒,修改后的内容见代码;
  3. 函数修改了AES 列混淆矩阵。

构造解密函数

上一步中我们基本了解了加密函数结构,现在我们需要构造解密函数。

失败的构造

首先很自然的想法是同样构造解密函数的查表实现,参考1,我们需要构造Si, T5, T6, T7, T8, U1, U2, U3, U4共三类9个表。

构造Si:

根据Sbox_inv[Sbox[i]] == i,有:

Si = [0] *256
for i in range(256):
    Si[S[i]] = i

构造Tbox:

参考2,构造解密所用Tbox的流程与加密所用Tbox相同,不过需要使用Si代替S,列混淆矩阵的逆代替列混淆矩阵。

Si 已经在上一步得出,但是很遗憾我并没有找到列混淆矩阵对x^4+1的逆。因此无法成功构造解密函数的查表实现。

正确的构造

虽然构造解密函数的查表实现失败,但是其实上面我们已经把加密流程分析的很清楚了,因此我们依然可以构造解密函数的直接实现,已知:

  • Sbox, Sbox_inv
  • K (题目给的代码里有)
  • 更改后的列混淆矩阵

根据上述条件我们完全可以直接实现这个部分数据被修改的AES并确保加密功能可用,但解密功能所需的 MixColumnsInv 还是需要列混淆矩阵的逆。这里可以采用暴力破解的思路。

对于每一次MixColumnsInv,其输入等于MixColumns后的输出,而对于矩阵乘法而言,输出的一列仅与输入的一列相关,故依次尝试每一列的所有可能即可找到MixColumnsInv应有的输出。

这里每一列有2^32种可能,平均代价为2^31,鉴于每次MixColumnsInv需要暴力破解四列,解密流程需要9轮MixColumnsInv,故平均尝试次数为2^36+2^33计算资源丰富的情况下是可以接受的。

破解时间优化

显然上一步中暴力破解key的算法还有很大优化空间,这里可以使用中间相遇攻击3的思想,这是一种空间换时间的策略。

以一个最简单的问题为例:

输入一个数组和A一个数R,要求找到数组中的两数a,b满足 a+b = R

对于这个问题,最朴素的方式是遍历所有可能的a,b,这需要O(n^2)的时间;但如果我们一次遍历数组,并将映射关系R-i -> i存到哈希表中,我们就可以在第二次遍历时查表找到a,b,在使用了额外n对映射的存储空间后我们可以使用O(n)的时间解决这个问题。

对应到这里的暴破,我们需要找到a1,a2,a3,a4满足下列式子(其中lst = [[8,5,7,9],[9,8,5,7],[7,9,8,5],[5,7,9,8]]):

FFmul(lst[0][0],a1)^FFmul(lst[0][1],a2)^FFmul(lst[0][2],a3)^FFmul(lst[0][3],a4)^res[0][i] == 0
FFmul(lst[1][0],a1)^FFmul(lst[1][1],a2)^FFmul(lst[1][2],a3)^FFmul(lst[1][3],a4)^res[1][i] == 0
FFmul(lst[2][0],a1)^FFmul(lst[2][1],a2)^FFmul(lst[2][2],a3)^FFmul(lst[2][3],a4)^res[2][i] == 0
FFmul(lst[3][0],a1)^FFmul(lst[3][1],a2)^FFmul(lst[3][2],a3)^FFmul(lst[3][3],a4)^res[3][i] == 0

我们可以先计算所有可能的a1,a2,得到下列式子结果并将(t1,t2,t3,t4) -> (a1,a2)到哈希表中:

t1 = FFmul(lst[0][0],a1)^FFmul(lst[0][1],a2)
t2 = FFmul(lst[1][0],a1)^FFmul(lst[1][1],a2)
t3 = FFmul(lst[2][0],a1)^FFmul(lst[2][1],a2)
t4 = FFmul(lst[3][0],a1)^FFmul(lst[3][1],a2)

然后对于所有可能的a3,a4,计算下面的算式:

t1 = FFmul(lst[0][2],a3)^FFmul(lst[0][3],a4)^res[0][i]
t2 = FFmul(lst[1][2],a3)^FFmul(lst[1][3],a4)^res[1][i]
t3 = FFmul(lst[2][2],a3)^FFmul(lst[2][3],a4)^res[2][i]
t4 = FFmul(lst[3][2],a3)^FFmul(lst[3][3],a4)^res[3][i]

如果(t1,t2,t3,t4)在哈希表中,我们就找到了一组满足条件的a1,a2,a3,a4
相比暴力破解的2^32种可能,使用中间相遇攻击只需缓存2^16对映射并最多进行2^17次计算,在我的低配置电脑上完成解密耗时不超过五分钟。

代码及结果

解密代码:

from functools import reduce
import copy

def bit_rot_left(lst, pos):
    return lst[pos:] + lst[:pos]

def bit_rot_right(lst, pos):
    return lst[-pos:] + lst[:-pos]

def lst_xor(lst1, lst2):
    return [i^j for i,j in zip(lst1, lst2)]

def ggwp(res):
    def FFmul(a,b):
        rr = [a]
        def xtime(x):
            return x<<1 ^(0x1b if x&0x80 else 0x00) 
        for i in range(1,8):
            rr.append(xtime(rr[i-1]))
        t = (b & 0x01) * a
        for i in range(1,8):
            t ^= (((b >> i) & 0x01) * rr[i])
        return t&0xff
    lst = [[8,5,7,9],[9,8,5,7],[7,9,8,5],[5,7,9,8]]
    for i in range(4):
        cache = {}
        for a1 in range(0x100):
            for a2 in range(0x100):
                (t1,t2,t3,t4) = FFmul(lst[0][0],a1)^FFmul(lst[0][1],a2), FFmul(lst[1][0],a1)^FFmul(lst[1][1],a2), FFmul(lst[2][0],a1)^FFmul(lst[2][1],a2), FFmul(lst[3][0],a1)^FFmul(lst[3][1],a2)
                if (t1,t2,t3,t4) not in cache:
                    cache[(t1,t2,t3,t4)] = (a1,a2)
        flag = 0
        for a3 in range(0x100):
            for a4 in range(0x100):
                (t1,t2,t3,t4) = FFmul(lst[0][2],a3)^FFmul(lst[0][3],a4)^res[0][i], FFmul(lst[1][2],a3)^FFmul(lst[1][3],a4)^res[1][i], FFmul(lst[2][2],a3)^FFmul(lst[2][3],a4)^res[2][i], FFmul(lst[3][2],a3)^FFmul(lst[3][3],a4)^res[3][i]
                if (t1,t2,t3,t4) in cache:
                    res[0][i],res[1][i],res[2][i],res[3][i] = cache[(t1,t2,t3,t4)]+(a3,a4)
                    flag = 1
                    break
            if flag:
                break
    return res

class AES128:
    Sbox = [147, 67, 93, 110, 158, 230, 2, 61, 72, 101, 156, 57, 234, 28, 95, 1, 38, 159, 43, 236, 109, 181, 141, 132, 127, 241, 197, 130, 75, 0, 85, 227, 194, 178, 99, 143, 65, 163, 47, 77, 146, 8, 139, 79, 9, 54, 252, 22, 51, 120, 123, 118, 53, 19, 115, 107, 5, 195, 42, 126, 239, 55, 34, 78, 237, 186, 58, 116, 204, 177, 45, 89, 16, 35, 160, 125, 218, 15, 63, 62, 233, 76, 212, 17, 102, 161, 144, 40, 250, 196, 213, 223, 96, 24, 50, 104, 247, 36, 148, 11, 249, 246, 149, 185, 207, 154, 41, 37, 49, 124, 100, 203, 90, 12, 119, 113, 18, 48, 206, 134, 164, 66, 114, 94, 202, 251, 25, 106, 39, 240, 140, 243, 91, 184, 69, 86, 80, 97, 191, 199, 220, 215, 103, 117, 176, 84, 226, 21, 87, 29, 188, 30, 44, 128, 245, 145, 244, 46, 201, 238, 253, 187, 211, 68, 52, 224, 232, 7, 92, 182, 6, 13, 111, 219, 189, 255, 171, 157, 32, 168, 136, 108, 200, 190, 229, 165, 20, 208, 138, 27, 155, 64, 129, 225, 26, 209, 137, 216, 180, 254, 192, 235, 31, 121, 98, 231, 152, 170, 248, 135, 81, 214, 112, 88, 166, 150, 131, 169, 133, 142, 153, 162, 33, 23, 56, 173, 14, 83, 70, 179, 73, 105, 82, 210, 74, 193, 183, 217, 198, 3, 242, 167, 228, 174, 172, 4, 221, 59, 71, 60, 10, 151, 175, 222, 122, 205]
    Sbox_r = [29, 15, 6, 239, 245, 56, 170, 167, 41, 44, 250, 99, 113, 171, 226, 77, 72, 83, 116, 53, 186, 147, 47, 223, 93, 126, 194, 189, 13, 149, 151, 202, 178, 222, 62, 73, 97, 107, 16, 128, 87, 106, 58, 18, 152, 70, 157, 38, 117, 108, 94, 48, 164, 52, 45, 61, 224, 11, 66, 247, 249, 7, 79, 78, 191, 36, 121, 1, 163, 134, 228, 248, 8, 230, 234, 28, 81, 39, 63, 43, 136, 210, 232, 227, 145, 30, 135, 148, 213, 71, 112, 132, 168, 2, 123, 14, 92, 137, 204, 34, 110, 9, 84, 142, 95, 231, 127, 55, 181, 20, 3, 172, 212, 115, 122, 54, 67, 143, 51, 114, 49, 203, 254, 50, 109, 75, 59, 24, 153, 192, 27, 216, 23, 218, 119, 209, 180, 196, 188, 42, 130, 22, 219, 35, 86, 155, 40, 0, 98, 102, 215, 251, 206, 220, 105, 190, 10, 177, 4, 17, 74, 85, 221, 37, 120, 185, 214, 241, 179, 217, 207, 176, 244, 225, 243, 252, 144, 69, 33, 229, 198, 21, 169, 236, 133, 103, 65, 161, 150, 174, 183, 138, 200, 235, 32, 57, 89, 26, 238, 139, 182, 158, 124, 111, 68, 255, 118, 104, 187, 195, 233, 162, 82, 90, 211, 141, 197, 237, 76, 173, 140, 246, 253, 91, 165, 193, 146, 31, 242, 184, 5, 205, 166, 80, 12, 201, 19, 64, 159, 60, 129, 25, 240, 131, 156, 154, 101, 96, 208, 100, 88, 125, 46, 160, 199, 175]
    RC = [0x00,0x01, 0x02, 0x04, 0x08, 0x10, 0x20, 0x40, 0x80, 0x1b, 0x36]

    def __init__(self, key):
        self.subkey = self.key_get(key,)

    def permute(self, lst, tb):
        return [tb[(i>>4) * 16 + (i&0x0f)] for i in lst]


    def key_get(self, key):
        def g(lst,lk):
            lstt = bit_rot_left(lst, 1)
            lstt = self.permute(lstt, self.Sbox)
            lstt[0] ^= self.RC[lk//4]
            return lstt
        tmpK = [[0] * 4 for i in range(44)]
        for i in range(4):
            for j in range(4):
                tmpK[i][j] = ord(key[4*i+j])
        for i in range(4,44):
            if i % 4:
                tmpK[i] = lst_xor(tmpK[i-4], tmpK[i-1])
            else:
                tmpK[i] = lst_xor(tmpK[i-4], g(tmpK[i-1],i))
        return tmpK



    def SubBytes(self):
        self.tmp = [self.permute(i, self.Sbox) for i in self.tmp]
        return

    def SubBytesInv(self):
        self.tmp = [self.permute(i, self.Sbox_r) for i in self.tmp]
        return

    def ShiftRows(self):
        self.tmp = [bit_rot_left(self.tmp[i], i) for i in range(4)]
        return

    def ShiftRowsInv(self):
        self.tmp = [bit_rot_right(self.tmp[i], i) for i in range(4)]
        return

    def MixColumns(self):
        def FFmul(a,b):
            rr = [a]
            def xtime(x):
                return x<<1 ^(0x1b if x&0x80 else 0x00)
            for i in range(1,8):
                rr.append(xtime(rr[i-1]))
            t = (b & 0x01) * a
            for i in range(1,8):
                t ^= (((b >> i) & 0x01) * rr[i])
            return t&0xff
        lst = [[8,5,7,9],[9,8,5,7],[7,9,8,5],[5,7,9,8]]
        self.tmp = [[reduce(lambda x,y: x^y,[FFmul(lst[i][k],self.tmp[k][j]) for k in range(4)]) for j in range(4)] for i in range(4)]
        return

    def MixColumnsInv(self):
        lst = [[8,5,7,9],[9,8,5,7],[7,9,8,5],[5,7,9,8]]
        def FFmul(a,b):
            rr = [a]
            def xtime(x):
                return x<<1 ^(0x1b if x&0x80 else 0x00)
            for i in range(1,8):
                rr.append(xtime(rr[i-1]))
            t = (b & 0x01) * a
            for i in range(1,8):
                t ^= (((b >> i) & 0x01) * rr[i])
            return t
        self.tmp = ggwp(self.tmp)

    def AddRoundKey(self,rd):
        self.tmp = [lst_xor(self.tmp[i], [self.subkey[4*rd + j][i] for j in range(4)]) for i in range(4)]
        return

    def aes_encipher(self,m):
        self.tmp = [[ord(m[i+4*j]) for j in range(4)] for i in range(4)]
        self.AddRoundKey(0)
        for i in range(1,10):
            self.SubBytes()
            self.ShiftRows()
            self.MixColumns()
            self.AddRoundKey(i)
        self.SubBytes()
        self.ShiftRows()
        self.AddRoundKey(10)
        self.tmp = [hex(self.tmp[j][i])[2:].zfill(2) for i in range(4) for j in range(4)]
        return self.tmp

    def aes_decipher(self,m):
        self.tmp = [[ord(m[i+4*j]) for j in range(4)] for i in range(4)]
        self.AddRoundKey(10)
        self.ShiftRowsInv()
        self.SubBytesInv()
        for i in range(9,0,-1):
            self.AddRoundKey(i)
            self.MixColumnsInv()
            self.ShiftRowsInv()
            self.SubBytesInv()
        self.AddRoundKey(0)
        self.tmp = [hex(self.tmp[j][i])[2:].zfill(2) for i in range(4) for j in range(4)]
        return self.tmp

k = "x01x23x45x67x89xabxcdxefxfexdcxbax98x76x54x32x10"
A = AES128(k)
c = 'NxcbI{q;xe6]x82kxedxaf0&xd9xaa'
m = A.aes_decipher(c)
m = bytes([int(i,16) for i in m])
print(m)

解密得到key = b'xc3x81Axa8x84xf9x0b{xb7xe4xf4x14D,xdds'

然后解密flag:

flag = '7f015db80352a325cacdac4bb25d8ac9494e468fb0aa514d6c916df1b8a0fafe46e9c3aad6fca5f109c414f2f99ffb81'
key = b'xc3x81Axa8x84xf9x0b{xb7xe4xf4x14D,xdds'
iv = b'NxcbI{q;xe6]x82kxedxaf0&xd9xaa'
cipher = Cipher(algorithms.AES(key), modes.CBC(iv), backend=backend)
ciphertext = binascii.unhexlify(flag)
decryptor = cipher.decryptor()
plaintext = decryptor.update(ciphertext) + decryptor.finalize()
print(plaintext)
# Out:b'RCTF{88358abe-e571-4bdf-95a3-93e9d8ddf558}x06x06x06x06x06x06'

 

FLAG值

  • RCTF{88358abe-e571-4bdf-95a3-93e9d8ddf558}

 

结语

做题的时候浪费了太多时间在求列混淆矩阵的逆,结果发现很多时候还是暴破靠谱。

 

参考

  1. https://github.com/ricmoo/pyAES
  2. https://zhuanlan.zhihu.com/p/42264499
  3. https://en.wikipedia.org/wiki/Meet-in-the-middle_attack
  4. 《深入浅出密码学——常用加密技术原理与应用》

本文由bekd原创发布

转载,请参考转载声明,注明出处: https://www.anquanke.com/post/id/178900

安全客 - 有思想的安全新媒体

分享到:微信
+13赞
收藏
bekd
分享到:微信

发表评论

内容需知
  • 投稿须知
  • 转载须知
  • 官网QQ群8:819797106
  • 官网QQ群3:830462644(已满)
  • 官网QQ群2:814450983(已满)
  • 官网QQ群1:702511263(已满)
合作单位
  • 安全客
  • 安全客
Copyright © 北京奇虎科技有限公司 360网络攻防实验室 安全客 All Rights Reserved 京ICP备08010314号-66