## 第二题 子鼠开天
### 算法识别
从字符串信息可知,文件用了openssl_0.9.8这个库,导入相应版本的sig文件后可以识别部分代码
[openssl_0.9.8.sig](622K9s2c8@1M7s2y4Q4x3@1q4Q4x3V1k6Q4x3V1k6Y4K9i4c8Z5N6h3u0Q4x3X3g2U0L8$3#2Q4x3V1k6H3N6i4y4Z5x3r3g2T1M7q4)9J5c8Y4y4A6k6#2)9J5k6r3c8S2N6r3q4T1j5i4y4W2i4K6u0r3j5X3I4G2j5W2)9J5c8X3#2S2M7%4c8W2M7W2)9J5c8Y4N6A6L8X3c8G2N6%4y4Q4x3V1k6G2M7r3g2F1M7%4y4D9i4K6g2X3x3q4)9J5k6e0W2Q4x3X3f1^5i4K6u0W2M7$3W2Y4i4K6t1&6
其他没有识别出来的函数可以通过固定参数或者对比openssl源码识别
sub_4019B0 -> sha512 (0xF3BCC908, 0x6A09E667...)
sub_401560 -> md5 (0x67452301, 0xEFCDAB89...)
sub_404FE0 -> AES_set_encrypt_key
sub_4053A0 -> AES_set_decrypt_key
sub_sub_4010F0 -> 最后一个参数为1是是AES加密,为0时是AES解密
sub_401210 -> rsa
### 加密过程
sn:AES**解密** -> RSA加密
name: sha512 -> md5 -> sha512 -> md5
sn加密结果的后16字节与nams计算hash后的16字节相等且sn的前两个字节为0002,第16个字节为0
### solve
```python
#coding=utf-8
import gmpy2
import hashlib
from Crypto.Cipher import AES
import base64
import math
from binascii import b2a_hex, a2b_hex
class prpcrypt():
def __init__(self):
s = "480b62c3acd6c8a36b18d9e906cd90d2"
self.key = s.decode('hex')
self.mode = AES.MODE_ECB
def encrypt(self, text):
cryptor = AES.new(self.key, self.mode)
length = 16
count = len(text)
if count % length != 0:
add = length - (count % length)
else:
add = 0
text = text + ('\0' * add)
self.ciphertext = cryptor.encrypt(text)
return b2a_hex(self.ciphertext)
def decrypt(self, text):
cryptor = AES.new(self.key, self.mode)
plain_text = cryptor.decrypt(a2b_hex(text))
return plain_text.rstrip('\0')
n = 0x69823028577465ab3991df045146f91d556dee8870845d8ee1cd3cf77e4a0c39
p = 201522792635114097998567775554303915819
q = 236811285547763449711675622888914229291
phi = (p - 1) * (q - 1)
e = 65537
d = gmpy2.invert(e, phi)
x = 0x02000000000000000000000000000014af58ad4d76d59d8d2171ffb4ca2231
msg = hex(pow(x,d,n)).strip('L')[2:]
pr = prpcrypt()
c1 = pr.encrypt(msg[:32].decode('hex'))
c2 = pr.encrypt(msg[32:64].decode('hex'))
print c1+c2
```
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
