2025 软件系统安全赛 kernel_traffic

Azuria

谁公钥和私钥硬编码放一起啊喂。

client 没有给符号，不过可以用 gmp 的 sig 还原，再导入 gmp.h 修复函数签名。

main 里调用 sub_161C，从 /dev/urandom 读 16 字节然后 RSA-1024 加密后发给服务器。

服务器返回 16 字节密钥，解密后与客户端的密钥异或作为 RC4 密钥。

factordb 找不到公钥 n 所以大胆猜测另一个大数就是私钥 d，这个不难验证，不过当时没想到。

接着是与驱动通信。

驱动这边收集了 shift、ledstate 和 value。

回到客户端这边，读取驱动捕获的按键信息后 RC4 加密 + shuffle，再发送时间戳、大小和数据。

shuffle 伪随机打乱，种子是时间戳。

所以思路差不多是还原出 RC4 密钥，解密数据，最后根据 keycode 还原出 flag。

import ctypes
import struct

# traffic.pcapng
p = [
    ["c9a43567", "a92066b352dd8b65a0840fba"],
    ["c9a43567", "d21c608abafe1fa3ed22ee1b"],
    ["caa43567", "5cd8e734e9ff3ddc88f82ff6"],
    ["cba43567", "0f2c1f33a63872e89d85419d"],
    ["cda43567", "9c4c416a6c33912c5d2dbea3"],
    ["cda43567", "3405e1f86f204cb3233cee47"],
    ["cfa43567", "babf35d58fb039f34ac0bc68"],
    ["d0a43567", "69c3563248492fa3dd39c300"],
    ["d1a43567", "9660928ac69bd2c5ed38c575"],
    ["d3a43567", "8068f321bb9f3ad2db1733fc"],
    ["d4a43567", "d0d76861912565a75fab99ea"],
    ["d4a43567", "d5e4f21427976a29b28d2465"],
    ["d5a43567", "b8dc14e8f9e098ee0eae689c"],
    ["d5a43567", "8d0a397c810b8e6387dc5317"],
    ["d5a43567", "1a972a6c158c1bda02fc43de"],
    ["d5a43567", "297eaa03818999b004297ca8"],
    ["d5a43567", "c66c97a36a413d0fe38a57c5"],
    ["d8a43567", "1809619ecdf37f837d44f986"],
    ["d8a43567", "3b52e6a439e9f1ee97daa235"],
    ["d9a43567", "a44507aa2e755b35675722fc"],
    ["dba43567", "12d4da0167e78a3cd8080e4e"],
    ["dda43567", "83202fb19c2937cb9e3015e1"],
    ["dda43567", "a34e094fd2e4cc0fc0d52e08"],
    ["e0a43567", "c5323082d0db41cc22eaf37e"],
    ["e0a43567", "c2fe09cd87dd6b8dc540b11f"],
    ["e1a43567", "9f34dc29085976f1f1f4804c"],
    ["e1a43567", "5928e0ea62033a917bbe2439"],
    ["e1a43567", "25e8f3be3759dae1dddf5760"],
    ["e1a43567", "a1985a4755ed3b39af887410"],
    ["e1a43567", "b6dd7db5d3da879d6fcce465"],
    ["e1a43567", "907194e5ccf0ab56d9cee5fc"],
    ["e1a43567", "a0d42f568286477b5000a21e"],
    ["e3a43567", "fab0826bcd5e77a70d11ca95"],
    ["e3a43567", "3c0b8f780746b6c870b8eb3d"],
    ["e6a43567", "a25ad5f8ab74414f116791af"],
    ["e8a43567", "31b2eed379afb67f9aa962bf"],
    ["e8a43567", "802421958e372da29ca75ae7"],
    ["eba43567", "ed3db7f76f2b1fc8ace9dccb"],
    ["eba43567", "12b5a5a2a5a161c619319de9"],
    ["eba43567", "aefd55c6cdbef465b24dca78"],
    ["eba43567", "daf9a0aef390e56d2c59da48"],
    ["f0a43567", "a7e1347f096846f5b8f08c8b"],
    ["f1a43567", "4754a89602a3902d44f2d151"],
    ["f1a43567", "92a034c0c522c297349f7cff"],
    ["f3a43567", "19a5598acb6abf72ab62e79c"],
    ["f4a43567", "ebcca8b0c020566761d8484b"],
    ["f5a43567", "bc65b1fd58a6c24a2bcdb23c"],
    ["f5a43567", "dee8f9c766cb33cb771f8bab"],
    ["f6a43567", "547c2274e7be1e8a492d2566"],
    ["f6a43567", "5c60476d6f22c523af08e883"],
    ["f6a43567", "29ea7e1ccd945a6fec3f1bbf"],
    ["f6a43567", "816f99fc399b312a76a61b97"],
]

n = 0xB7DB0B385F4CFB85BF9AF7C1C8298EC4D691C8341B8A09D3E0F1685F1E9E8198B03426855EE144C38C10B623AE2F1F671B9AEE7A8A7A49FC46154C5D57D1827C28BDF1AEB7CBF259EE1564DD24FCAA66F1E95DB6652BBD8F4B1EF1A7BD698085609B8D50A714162BEDC8F9478807984FA257BA6647D0A18CB5595BCD789CB8B7
d = 0x18260D333A5142382F128BB848322D2E6D80786B5FB2A1D7D293E2C19BA3F621B803218C230A339DFBA7B644B97C3703B3FC859652D9FD1DC596C690FC17E8AB6D2DE44FCDDC6D7AF84FC50175347CEBF1AEB4C920036FAB4A20B4BA44B72F69D45E6ED40111BFF5D1186087DC40D31C22BEC7BDD6C39E079C518A2A385ECB01
e = 65537

k = 0x44CDE3547452C9A91BA250747568BF5FA64CC42FA99111D33A51E82AA99E20A2F07073CC1BA492243964FD85834526EBC6BC6ED0E4216353EFB8B9561D94BF0C5A3BBB8C452BDC961C9136F90860E76239CC22DDF9293BC3E23F0C7B3873D58CDDE51EDF1D8864E47708DD811B29DEDE65971F9FAD6FA8C38ACA2B4E98736267
k = pow(k, d, n).to_bytes(16, "little")

t = 0x81281A405E55002BB71C31B7429D0240FDC14FA4A5E646ED6BF888CD5D1AE6A8FDA3ADDED2CBB29A3BE7F41359E1FF40E6763BFB843A8E417F799062DBE3207CCAF56D09A7C70CD45D48032F35CA8B485D4C372D42164C6A90E15824EA95CD426DAB6DE5D065D19FE31B2E72662393F422AF8C0B20D478C23BAF63CCEC0A18AC
t = pow(t, d, n).to_bytes(16, "little")

k = bytes((x ^ (y * 17) & 0xFF) for x, y in zip(k, t))

S = bytearray(range(256))
j = 0
for i in range(256):
    j = (j + S[i] + k[i % len(k)]) & 255
    S[i], S[j] = S[j], S[i]

# https://github.com/torvalds/linux/blob/v6.12/include/uapi/linux/input-event-codes.h#L75-L125
# NOTE: shift+- -> _
d = {
    2: "1",
    3: "2",
    4: "3",
    5: "4",
    6: "5",
    7: "6",
    8: "7",
    9: "8",
    10: "9",
    11: "0",
    12: "_",  # shift+- -> _
    16: "q",
    17: "w",
    18: "e",
    19: "r",
    20: "t",
    21: "y",
    22: "u",
    23: "i",
    24: "o",
    25: "p",
    26: "{",  # shift+[ -> {
    27: "}",  # shift+] -> }
    30: "a",
    31: "s",
    32: "d",
    33: "f",
    34: "g",
    35: "h",
    36: "j",
    37: "k",
    38: "l",
    42: "",  # KEY_LEFTSHIFT
    44: "z",
    45: "x",
    46: "c",
    47: "v",
    48: "b",
    49: "n",
    50: "m",
}

C = ctypes.CDLL("libc.so.6")
x = y = 0
for t, e in p:
    C.srand(int.from_bytes(bytes.fromhex(t), "little"))
    v = bytearray(range(256))
    for i in range(255, 0, -1):
        j = C.rand() % (i + 1)
        v[i], v[j] = v[j], v[i]

    e = bytearray(v.index(x) for x in bytes.fromhex(e))
    for i in range(len(e)):
        x = (x + 1) & 255
        y = (y + S[x]) & 255
        S[x], S[y] = S[y], S[x]
        e[i] ^= S[(S[x] + S[y]) & 255]

    # keyboard_notifier_param
    shift, _, value = struct.unpack("iiI", e)

    c = d[value]

    # check KG_SHIFT
    if shift & 1:
        c = c.upper()

    print(c, end="")

linux 环境下跑一遍得到 flag{k3rnel_Tr4ffic_G4me_H4ha}。

senhan413

谢谢！回到客户端这边，读取驱动捕获的按键信息后 RC4 加密 + shuffle，再发送时间戳、大小和数据。

winxpnt

厉害了我的楼主，感谢分享

xionghaoyun

虽然看不懂 但要给LZ点赞

cc5i1

只看到了是Python语言，其他的都没看懂

dlz0114

开眼了。

aosikaiii

厉害了我的楼主，感谢分享

linix

感谢大佬分享

Y011

秀儿，是你吗？

抱薪风雪雾

安全的事，都是大事情。

52wjj

太厉害了！！！