1.题目：PHP_encrypt_1(ISCCCTF)

image.png

2.下载附件解压打开后是php代码

function encrypt($data,$key)
{
    $key = md5('ISCC');
    $x = 0;
    $len = strlen($data);
    $klen = strlen($key);
    for ($i=0; $i < $len; $i++) { 
        if ($x == $klen)
        {
            $x = 0;
        }
        $char .= $key[$x];
        $x+=1;
    }
    for ($i=0; $i < $len; $i++) {
        $str .= chr((ord($data[$i]) + ord($char[$i])) % 128);
    }
    return base64_encode($str);
}
?>

但是好像少了点啥啊
去网上搜了大佬们的writup发现函数返回值好像没了

output: fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA=

好了有了返回值就可以逆向推导出传入的data是什么了(所以说这道题是我做的第一道逆向题，嗯就是这样ԅ(¯﹃¯ԅ)

3.用python重新写了一下这个函数，同时理解一下这个函数是干嘛的

# -*- coding: UTF-8 -*-
import base64
import hashlib


def eccrypt(data):
    key = hashlib.md5('ISCC').hexdigest()
    # print 'key-->', key
    x = 0
    char = ''
    data_len = len(data)  # data的长度
    key_len = len(key)  # key的长度
    for i in range(data_len):
        if x == key_len:
            x = 0
        char += key[x]
        x += 1
    # print 'char-->', char
    flag = ''
    for i in range(data_len):
        flag += chr((ord(data[i]))+(ord(char[i])) % 128)
    # print 'flag-->', flag
    return base64.b64encode(flag)

'''
def detrcy(b64):
    int_b64 = []
    b64de = base64.b64decode(b64)
    # print 'b64de-->', b64de
    # print 'len_b64de-->', len(b64de)
    for i in range(len(b64de)):
        int_b64.append(ord(b64de[i]))
    # print 'int_b64-->',int_b64
    # print 'len_int_b64-->', len(int_b64)
    key = '729623334f0aa2784a1599fd374c120d729623'
    int_key = []
    for i in range(len(key)):
        int_key.append(ord(key[i]))
    # print 'int_key-->', int_key
    flag = ''
    for i in range(len(int_b64)):
        flag += chr((int_b64[i]-int_key[i]+128)%128)
    print flag
'''

if __name__ == '__main__':
    str_b64 = eccrypt('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
    print 'str_b64-->', str_b64
    # str_b64 = 'fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA='
    # print 'str_b64-->', str_b64
    # detrcy(str_b64)

4.最后就是写解密方法了

# -*- coding: UTF-8 -*-
import base64
# import hashlib

'''
def eccrypt(data):
    key = hashlib.md5('ISCC').hexdigest()
    # print 'key-->', key
    x = 0
    char = ''
    data_len = len(data)  # data的长度
    key_len = len(key)  # key的长度
    for i in range(data_len):
        if x == key_len:
            x = 0
        char += key[x]
        x += 1
    # print 'char-->', char
    flag = ''
    for i in range(data_len):
        flag += chr((ord(data[i]))+(ord(char[i])) % 128)
    # print 'flag-->', flag
    return base64.b64encode(flag)
'''


def detrcy(b64):
    int_b64 = []
    b64de = base64.b64decode(b64)
    # print 'b64de-->', b64de
    # print 'len_b64de-->', len(b64de)
    for i in range(len(b64de)):
        int_b64.append(ord(b64de[i]))
    # print 'int_b64-->',int_b64
    # print 'len_int_b64-->', len(int_b64)
    key = '729623334f0aa2784a1599fd374c120d729623'  # 知道data的长度后直接写出来
    int_key = []
    for i in range(len(key)):
        int_key.append(ord(key[i]))
    # print 'int_key-->', int_key
    flag = ''
    for i in range(len(int_b64)):
        flag += chr((int_b64[i]-int_key[i]+128) % 128)
    print flag


if __name__ == '__main__':
    # str_b64 = eccrypt('XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX')
    # print 'str_b64-->', str_b64
    str_b64 = 'fR4aHWwuFCYYVydFRxMqHhhCKBseH1dbFygrRxIWJ1UYFhotFjA='
    # print 'str_b64-->', str_b64
    detrcy(str_b64)

(代码审计，密码学，web)

BugkuCTF_PHP_encrypt_1(ISCCCTF)

1.题目：PHP_encrypt_1(ISCCCTF)

2.下载附件解压打开后是php代码

3.用python重新写了一下这个函数，同时理解一下这个函数是干嘛的

4.最后就是写解密方法了

你可能感兴趣的:(BugkuCTF_PHP_encrypt_1(ISCCCTF))