Skip to content

Instantly share code, notes, and snippets.

@tqkve

tqkve/extract.py

Created August 28, 2016 17:53
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save tqkve/08fe9c044f3bdbf9768faf62f9d1a526 to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save tqkve/08fe9c044f3bdbf9768faf62f9d1a526 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
extract.py
import sys
import zipfile
import os
'''
usage: python extract.py EXE_file
'''
def extract(filename):
zf = zipfile.ZipFile(filename)
f = open('test1.exe', 'wb')
f.write(zf.read(filename))
f.close()
zf.close()
for i in xrange(1, 100):
try:
old_file = 'test' + str(i) + '.exe'
new_file = 'test' + str(i+1) + '.exe'
zf = zipfile.ZipFile(old_file)
f = open(new_file, "wb")
x = zf.read(filename)
f.write(x)
f.close()
zf.close()
os.remove(old_file)
except:
print 'Done'
os.rename(old_file, "extracted.exe")
break
if __name__ == "__main__":
if sys.argv[1]:
extract(sys.argv[1])
Raw
re150.py
import base64
alphabet = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz1234567890_+?{}%^&*$#@()-"
s = alphabet[:40]
check = ["DRsRI3Y", "HCU4M3E", "AhsGCg8", "OA8tFQQ", "ehsmcQw", "EwRwcR0", "czYhdDU", "dxEaHiY"]
tmp = []
for i in xrange(len(check)):
tmp2 = base64.b64decode(check[i]+"=")
tmp.append(tmp2[-2:] + tmp2[:-2])
tmp = tmp[-4:] + tmp[:-4]
def xor(s1, s2):
return ''.join(chr(ord(a) ^ ord(b)) for a,b in zip(s1,s2))
flag = ''
for i in xrange(len(tmp)):
flag += xor(tmp[i], s)
print "Flag: " + flag[-10:] + flag[:-10]
# Flag: KMA_CTF{Kh0N9_c0_P@55w0rd_d4U_b4N_Tr3_a}
Raw
re200.py
import hashlib
import string
junks = ["lmnop", "vwxyz", "67890", "%^&*$", "qrstu", "12345", "_+?{}", "#@()-"]
key = [0, 4, 1, 5, 2, 6, 3, 7]
d = string.letters + "_{}%^&*$+?#@()-" + string.digits
check =[
"51264F38263D5D69E05F2670E0119D70661B259E",
"AE3244486431146DF1636717108A49AB",
"B3D42B947B87FA8FF5BA619782916A1C",
"0CBDFB4F8F7EDA687A543732A176BC280E261CB7",
"17F488F768DB8FBE7A408A9469203C61E03B5FE43214B95A00E7C0C52D2FD933",
"E28DF3961AEE9AC880557F4B8A96D103E8A88A16",
"AA54B78E8A21BA9421112A77A0A04853DA0D7FD6",
"B55587EEEB2609CE6460B20C2C04C6E1",
"1245C9563C99BEFBDFC0FC56FE75D4E0C9354DC21B07C8F88CFEFFD639C5156F",
"89D0FC5DCD7CD7305DD9688420AA93CE361E2968",
"C4DCA1964765F10DC4725D7B86FD88AB383EDDB8",
"9BCB281DB0E17D95A5663763C55BB882",
"6B4A082051FCCE0B482933B13E8B6444AE2A2E090805FBE430AE0AC27CB34B11",
"8BF77E4DA8E1E3838BB1BA134CD7F705",
"81B073DE9370EA873F548E31B8ADC081",
"91381C5885CCBF2E211793043648F71C8699412F",
"EC35B54657B858C7D391D4BC81AA288B2633E5440C56A76F056509D8A4DA1E74",
"B8768EE701F60A25C8A42A8CDA6E57DB",
"9493E9680EC0F3BDFE45A66BEBC2DD4F47982C51",
"8359CE59B193367DAFBD4C1F43F2E367",
]
# https://hashkiller.co.uk
known_hashs = {
"51264f38263d5d69e05f2670e0119d70661b259e": "KMA_",
"ae3244486431146df1636717108a49ab": "Clmn",
"b3d42b947b87fa8ff5ba619782916a1c": "opO_",
"e28df3961aee9ac880557f4b8a96d103e8a88a16": "TF_{",
"b55587eeeb2609ce6460b20c2c04c6e1": "90_t",
"c4dca1964765f10dc4725d7b86fd88ab383eddb8": "E_Kh",
"9bcb281db0e17d95a5663763c55bb882": "0qrs",
"8bf77e4da8e1e3838bb1ba134cd7f705": "_l41",
"81b073de9370ea873f548e31b8adc081": "2345",
"91381c5885ccbf2e211793043648f71c8699412f": "Ng_K",
"b8768ee701f60a25c8a42a8cda6e57db": "{}_W",
"8359ce59b193367dafbd4c1f43f2e367": "@()-",
}
def md5(s):
return hashlib.md5(s).hexdigest()
def sha1(s):
return hashlib.sha1(s).hexdigest()
def sha256(s):
return hashlib.sha256(s).hexdigest()
def ripemd(s):
h = hashlib.new('ripemd160')
h.update(s)
return h.hexdigest()
def split_arrn(str, n):
return [str[i:i+n] for i in range(0, len(str), n)]
def find(s, chr):
return [i for i, x in enumerate(s) if x == chr]
def brute_piece(hash_func, digest, piece):
occurs = find(piece, "*")
num_knowns = 4 - len(occurs)
tmp = [None] * 4
for i in d:
if num_knowns < 3:
for j in d:
if num_knowns == 1:
for k in d:
for x in xrange(4):
if x in occurs:
tmp[occurs[0]] = i
tmp[occurs[1]] = j
tmp[occurs[2]] = k
else:
tmp[x] = piece[x]
tmp_text = "".join([char for char in tmp])
print tmp_text
hash = hash_func(tmp_text).upper()
if hash == digest:
print "Found: " + tmp_text
return tmp_text
for x in xrange(4):
if x in occurs:
tmp[occurs[0]] = i
tmp[occurs[1]] = j
else:
tmp[x] = piece[x]
tmp_text = "".join([char for char in tmp])
hash = hash_func(tmp_text).upper()
if hash == digest:
print "Found: " + tmp_text
return tmp_text
for x in xrange(4):
if x in occurs:
tmp[occurs[0]] = i
else:
tmp[x] = piece[x]
tmp_text = "".join([char for char in tmp])
hash = hash_func(tmp_text).upper()
if hash == digest:
print "Found: " + tmp_text
return tmp_text
def main():
# * is unknown character
known_text = "KMA_ClmnopO_***vwxyzTF_{*67890_t***%^&*$E_Kh0qrstu**_l412345Ng_K*_+?{}_W***#@()-"
arr4 = split_arrn(known_text, 4)
for i in xrange(len(arr4)):
if "*" in arr4[i]:
if i % 5 == 0:
hash_func = sha1
elif i % 4 == 0:
hash_func = sha256
elif i % 3 == 0:
hash_func = ripemd
else:
hash_func = md5
known_text = known_text.replace(arr4[i], brute_piece(hash_func, check[i], arr4[i]))
# known_text = "KMA_ClmnopO_NhivwxyzTF_{R67890_tU_t%^&*$E_Kh0qrstuIn_l412345Ng_Kh_+?{}_Win}#@()-"
for junk in junks:
known_text = known_text.replace(junk, "")
flag = split_arrn(known_text, 5)
tflag = [None] * 8
for i in xrange(len(key)):
tflag[key[i]] = flag[i]
print "Flag: " + "".join([str for str in tflag])
if __name__ == "__main__":
main()
# Flag: KMA_CTF_{RE_Kh0Ng_KhO_Nhi_tU_tIn_l4_Win}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment