import string
from base64 import *
b=b64decode("RU9CRC43aWdxNDs3NDFSOzFpa1I1MWliT08w") #原题RU9CRC43aWdxNDs3NDFSOzFpa1I1MWliT08w,本题:aWdxNDs3NDFSOzFpa1I1MWliT08w
data=list(b)
for k in range(0,200):
key=""
for i in range(len(data)):
key+=chr(ord(data[i])^k)
print key+"\n"
EOBD.7igq4;741R;1ikR51ibOO0
igq4;741R;1ikR51ibOO0
FLAG-4jdr78472Q82jhQ62jaLL3
jdr78472Q82jhQ62jaLL3
内存取证
先imageinfo
volatility -f data.vmem imageinfo
Volatility Foundation Volatility Framework 2.6
INFO : volatility.debug : Determining profile based on KDBG search...
Suggested Profile(s) : WinXPSP2x86, WinXPSP3x86 (Instantiated with WinXPSP2x86)
AS Layer1 : IA32PagedMemoryPae (Kernel AS)
AS Layer2 : FileAddressSpace (/mnt/c/Users/wdbbw/Desktop/baby_forensic/data3/data.vmem)
PAE type : PAE
DTB : 0xb18000L
KDBG : 0x80546ae0L
Number of Processors : 1
Image Type (Service Pack) : 3
KPCR for CPU 0 : 0xffdff000L
KUSER_SHARED_DATA : 0xffdf0000L
Image date and time : 2019-09-04 14:22:51 UTC+0000
Image local date and time : 2019-09-04 22:22:51 +0800
查进程
volatility -f data.vmem pslist
看一眼cmd
volatility -f data.vmem cmdscan
Volatility Foundation Volatility Framework 2.6
**************************************************
CommandProcess: csrss.exe Pid: 440
CommandHistory: 0x3713850 Application: cmd.exe Flags: Allocated, Reset
CommandCount: 1 LastAdded: 0 LastDisplayed: 0
FirstCommand: 0 CommandCountMax: 50
ProcessHandle: 0x424
Cmd #0 @ 0x55d868: hill_matrix 3,2,2,9,7,7,6,4,9
有一个hill密钥矩阵
找密文
看一眼文件,有一堆,查有没有zip
volatility -f data.vmem filescan | grep zip
Volatility Foundation Volatility Framework 2.6
0x00000000012f6028 1 0 R--r-- \Device\HarddiskVolume1\Documents and Settings\Administrator\桌面\disk.zip
0x00000000016bb390 1 0 R--rwd \Device\HarddiskVolume1\WINDOWS\system32\zipfldr.dll
dump出来
volatility -f data.vmem dumpfiles -Q 0x00000000012f6028 -D ./ -u
解压得到disk.img,挂载看一波
mount -o loop message.img /mnt
cd /mnt
有一个usb.pcapng
tshark -r usb.pcapng -T fields -e usb.capdata > usbdata.txt
键盘数据包
mappings = { 0x04:"A", 0x05:"B", 0x06:"C", 0x07:"D", 0x08:"E", 0x09:"F", 0x0A:"G", 0x0B:"H", 0x0C:"I", 0x0D:"J", 0x0E:"K", 0x0F:"L", 0x10:"M", 0x11:"N",0x12:"O", 0x13:"P", 0x14:"Q", 0x15:"R", 0x16:"S", 0x17:"T", 0x18:"U",0x19:"V", 0x1A:"W", 0x1B:"X", 0x1C:"Y", 0x1D:"Z", 0x1E:"1", 0x1F:"2", 0x20:"3", 0x21:"4", 0x22:"5", 0x23:"6", 0x24:"7", 0x25:"8", 0x26:"9", 0x27:"0", 0x28:"\n", 0x2a:"[DEL]", 0X2B:" ", 0x2C:" ", 0x2D:"-", 0x2E:"=", 0x2F:"[", 0x30:"]", 0x31:"\\", 0x32:"~", 0x33:";", 0x34:"'", 0x36:",", 0x37:"." }
nums = []
keys = open('usbdata.txt')
for line in keys:
if line[0]!='0' or line[1]!='0' or line[3]!='0' or line[4]!='0' or line[9]!='0' or line[10]!='0' or line[12]!='0' or line[13]!='0' or line[15]!='0' or line[16]!='0' or line[18]!='0' or line[19]!='0' or line[21]!='0' or line[22]!='0':
continue
nums.append(int(line[6:8],16))
keys.close()
output = ""
for n in nums:
if n == 0 :
continue
if n in mappings:
output += mappings[n]
#else:
# output += '[unknown]'
print 'output :\n' + output
'UUTDOBZIPSRN'.HILLDECODEAABAAAAABBAABBABCBABBBCCCBBBCDCCCCECCCCECCCEDCCDCDCCCDDCDEDDCCFCDCDFCDCDCCECDCCCDCCCBCBDBBBBBCBBBBACBAABABAAAAABAABAAAAAAAAAAAAAAAAAAAAA
得到密文UUTDOBZIPSRN
解密得到QLBPGZBSTWEL
qlbpgzbstwel
flag为小写wdnmd
本作品采用知识共享署名-非商业性使用-禁止演绎 4.0 国际许可协议(CC BY-NC-ND 4.0)进行许可。
This work is licensed under the Creative Commons Attribution-NonCommercial-NoDerivatives 4.0 International License (CC BY-NC-ND 4.0).