PHPerチャレンジ 解説LT / PHPerKaigi2023challenge

Transcript

1. PHPerチャレンジ 解説LT
   サイボウズ株式会社 そが
   

   View Slide

2. PHPer チャレンジ、みなさんやっていますか︖
   ▌「#{⽂字列}」な形式の PHPer トークンをたくさん⾒つけて、
   スコアを稼ぐ企画
   ▌今年はサイボウズから PHPer チャレンジ⽤の問題を出題しています
   https://blog.cybozu.io/entry/phperkaigi2023-sponser
   その問題の解説を⾏う LT です︕
   

   View Slide

3. 出題＆解説の⼈
   ▌なまえ︓そが
   ▌会社︓サイボウズ株式会社
   ▌仕事︓弊社製品 Garoon の開発チームで、
   テクニカルサポート系
   ▌PHP︓仕事柄、書くのは稀で読むことが多い
   

   View Slide

4. 解説🔍
   

   View Slide

5. Step1
   ▌まず、２種類のプログラムがあることを確認
   n getPHPerToken.php
   n getKey.php
   ▌欲しいのは PHPer トークンなので、
   まずは getPHPerToken.php を読んでみる
   

   View Slide

6. getPHPerToken.php /**
   * This program can display a PHPer token.
   * But to get the correct PHPer token,
   * there are a few things you need to do before running this program.
   *
   * 1. You should get key1, key2 and key3 from getKey.php,
   * and fill , and of this program.
   * 2. The decrypt function does not work as expected for some reason.
   * This should be fixed.
   **/
   $key1=;
   $key2=;
   $key3=;
   function decrypt(array $ciphertext, int $public_key, int $secret_key) {
   $hex = "";
   foreach($ciphertext as $value) {
   $hex .= dechex($value ** $secret_key % $public_key);
   }
   $cleartext=hex2bin($hex);
   return $cleartext;
   }
   $ciphertext = [3181896, 6283063, 4748177, 3723679, 5707941];
   $public_key = 8555851;
   $secret_key = ($key1 + $key2 * 2 + $key3 * 3) ** 2 * 2 ** 3 + $key2 * $key3 + $key2 + $key3
   + 3;
   $cleartext=decrypt($ciphertext, $public_key, $secret_key);
   if(substr(md5($cleartext),0,30) === "97097d30ceb203d46ab08edf0308ba") {
   echo "PHPerToken is #" . $cleartext;
   } else {
   echo "Failed to get PHPerToken...";
   }
   

   View Slide

7. getPHPerToken.php（冒頭）
   /**
   * This program can display a PHPer token.
   * But to get the correct PHPer token,
   * there are a few things you need to do before running this program.
   *
   * 1. You should get key1, key2 and key3 from getKey.php,
   * and fill , and of this program.
   * 2. The decrypt function does not work as expected for some reason.
   * This should be fixed.
   **/
   $key1=;
   $key2=;
   $key3=;
   PHPerToken を表⽰できるプログラムだ
   けど、事前に以下２つをやってね。
   １．getKey.php からキーを３つ取得
   ２．decrypt 関数の修正
   

   View Slide

8. getPHPerToken.php（冒頭）
   /**
   * This program can display a PHPer token.
   * But to get the correct PHPer token,
   * there are a few things you need to do before running this program.
   *
   * 1. You should get key1, key2 and key3 from getKey.php,
   * and fill , and of this program.
   * 2. The decrypt function does not work as expected for some reason.
   * This should be fixed.
   **/
   $key1=;
   $key2=;
   $key3=;
   PHPerToken を表⽰できるプログラムだ
   けど、事前に以下２つをやってね。
   １．getKey.phpからキーを３つ取得
   ２．decrypt 関数の修正
   じゃあ、getKey.php を⾒てみよう
   

   View Slide

9. getKey.php
   /**
   * This program can display key1, key2 and key3.
   **/
   class A {
   public static function counter() {
   static $counter = 0;
   $counter += (2023 != "2023PHP");
   return $counter;
   }
   }
   class B extends A {}
   A::counter();
   $key = B::counter() . 3 << 2;
   $version = substr(phpversion(), 0, 3);
   if ($version === "7.4"){
   echo "key1: " . $key;
   } elseif ($version === "8.0") {
   echo "key2: " . $key;
   } elseif ($version === "8.1") {
   echo "key3: " . $key;
   } else {
   echo "Get no key!";
   }
   

   View Slide

10. getKey.php
    /**
    * This program can display key1, key2 and key3.
    **/
    class A {
    public static function counter() {
    static $counter = 0;
    $counter += (2023 != "2023PHP");
    return $counter;
    }
    }
    class B extends A {}
    A::counter();
    $key = B::counter() . 3 << 2;
    $version = substr(phpversion(), 0, 3);
    if ($version === "7.4"){
    echo "key1: " . $key;
    } elseif ($version === "8.0") {
    echo "key2: " . $key;
    } elseif ($version === "8.1") {
    echo "key3: " . $key;
    } else {
    echo "Get no key!";
    }
    PHP のバージョンごとに
    異なるキーを出⼒しそう
    

    View Slide

11. getKey.php
    /**
    * This program can display key1, key2 and key3.
    **/
    class A {
    public static function counter() {
    static $counter = 0;
    $counter += (2023 != "2023PHP");
    return $counter;
    }
    }
    class B extends A {}
    A::counter();
    $key = B::counter() . 3 << 2;
    $version = substr(phpversion(), 0, 3);
    if ($version === "7.4"){
    echo "key1: " . $key;
    } elseif ($version === "8.0") {
    echo "key2: " . $key;
    } elseif ($version === "8.1") {
    echo "key3: " . $key;
    } else {
    echo "Get no key!";
    }
    PHP 7.4, 8.0, 8.1 で挙動が変化
    するコードなので、$key が全部異なる
    

    View Slide

12. 挙動変化の元ネタ
    ▌⽂字列と数値の⽐較
    n https://www.php.net/manual/ja/migration80.incompatible.php#migration80.incompatible.core.
    string-number-comparision
    ▌ビットシフトや加算、減算に対する連結演算⼦の優先順位が変更
    n https://www.php.net/manual/ja/migration80.incompatible.php#migration80.incompatible.core.
    other
    ▌継承したメソッド内で static 変数を使う
    n https://www.php.net/manual/ja/migration81.incompatible.php#migration81.incompatible.core.
    static-variable-inheritance
    

    View Slide

13. getKey.php の実⾏ /**
    * This program can display key1, key2 and key3.
    **/
    class A {
    public static function counter() {
    static $counter = 0;
    $counter += (2023 != "2023PHP");
    return $counter;
    }
    }
    class B extends A {}
    A::counter();
    $key = B::counter() . 3 << 2;
    $version = substr(phpversion(), 0, 3);
    if ($version === "7.4"){
    echo "key1: " . $key;
    } elseif ($version === "8.0") {
    echo "key2: " . $key;
    } elseif ($version === "8.1") {
    echo "key3: " . $key;
    } else {
    echo "Get no key!";
    }
    ▌各 PHP バージョンでの実⾏⽅法は、お好みでOK
    n ⾃前でそれぞれ実⾏環境⽤意するもよし
    n Web 上で済ますもよし
    n https://3v4l.org/ など
    n 暗算できたらとてもつよし
    ▌key1=12, key2=112, key3=212
    

    View Slide

14. getPHPerToken.php（冒頭）
    /**
    * This program can display a PHPer token.
    * But to get the correct PHPer token,
    * there are a few things you need to do before running this program.
    *
    * 1. You should get key1, key2 and key3 from getKey.php,
    * and fill , and of this program.
    * 2. The decrypt function does not work as expected for some reason.
    * This should be fixed.
    **/
    $key1=12;
    $key2=112;
    $key3=212;
    取得した key1, key2, key3 を⼊れる
    

    View Slide

15. getPHPerToken.php（冒頭）
    PHPerToken を表⽰できるプログラムだ
    けど、事前に以下２つをやってね。
    １．getKey.php からキーを３つ取得
    ２．decrypt 関数の修正
    /**
    * This program can display a PHPer token.
    * But to get the correct PHPer token,
    * there are a few things you need to do before running this program.
    *
    * 1. You should get key1, key2 and key3 from getKey.php,
    * and fill , and of this program.
    * 2. The decrypt function does not work as expected for some reason.
    * This should be fixed.
    **/
    $key1=12;
    $key2=112;
    $key3=212;
    ࡁ
    

    View Slide

16. getPHPerToken.php（decrypt 関数）
    function decrypt(array $ciphertext, int $public_key, int $secret_key) {
    $hex = "";
    foreach($ciphertext as $value) {
    $hex .= dechex($value ** $secret_key % $public_key);
    }
    $cleartext=hex2bin($hex);
    return $cleartext;
    }
    $ciphertext = [3181896, 6283063, 4748177, 3723679, 5707941];
    $public_key = 8555851;
    $secret_key = ($key1 + $key2 * 2 + $key3 * 3) ** 2 * 2 ** 3 +
    $key2 * $key3 + $key2 + $key3 + 3;
    $cleartext=decrypt($ciphertext, $public_key, $secret_key);
    どこを直す必要が
    あるかな︖
    

    View Slide

17. getPHPerToken.php（decrypt 関数）
    function decrypt(array $ciphertext, int $public_key, int $secret_key) {
    $hex = "";
    foreach($ciphertext as $value) {
    $hex .= dechex($value ** $secret_key % $public_key);
    }
    $cleartext=hex2bin($hex);
    return $cleartext;
    }
    $ciphertext = [3181896, 6283063, 4748177, 3723679, 5707941];
    $public_key = 8555851;
    $secret_key = ($key1 + $key2 * 2 + $key3 * 3) ** 2 * 2 ** 3 +
    $key2 * $key3 + $key2 + $key3 + 3;
    $cleartext=decrypt($ciphertext, $public_key, $secret_key);
    実際の処理を
    イメージしてみよう
    

    View Slide

18. getPHPerToken.php（decrypt 関数）
    function decrypt(array $ciphertext, int $public_key, int $secret_key) {
    $hex = "";
    foreach($ciphertext as $value) {
    $hex .= dechex($value ** $secret_key % $public_key);
    }
    $cleartext=hex2bin($hex);
    return $cleartext;
    }
    $ciphertext = [3181896, 6283063, 4748177, 3723679, 5707941];
    $public_key = 8555851;
    $secret_key = ($key1 + $key2 * 2 + $key3 * 3) ** 2 * 2 ** 3 +
    $key2 * $key3 + $key2 + $key3 + 3;
    $cleartext=decrypt($ciphertext, $public_key, $secret_key);
    $secret_key は
    なんだかデカい数が
    ⼊りそう
    

    View Slide

19. getPHPerToken.php（decrypt 関数）
    function decrypt(array $ciphertext, int $public_key, int $secret_key) {
    $hex = "";
    foreach($ciphertext as $value) {
    $hex .= dechex($value ** $secret_key % $public_key);
    }
    $cleartext=hex2bin($hex);
    return $cleartext;
    }
    $ciphertext = [3181896, 6283063, 4748177, 3723679, 5707941];
    $public_key = 8555851;
    $secret_key = ($key1 + $key2 * 2 + $key3 * 3) ** 2 * 2 ** 3 +
    $key2 * $key3 + $key2 + $key3 + 3;
    $cleartext=decrypt($ciphertext, $public_key, $secret_key);
    なんだかデカい数を
    使った累乗計算
    ※7桁の7桁乗
    

    View Slide

20. getPHPerToken.php（decrypt 関数）
    function decrypt(array $ciphertext, int $public_key, int $secret_key) {
    $hex = "";
    foreach($ciphertext as $value) {
    $hex .= dechex($value ** $secret_key % $public_key);
    }
    $cleartext=hex2bin($hex);
    return $cleartext;
    }
    $ciphertext = [3181896, 6283063, 4748177, 3723679, 5707941];
    $public_key = 8555851;
    $secret_key = ($key1 + $key2 * 2 + $key3 * 3) ** 2 * 2 ** 3 +
    $key2 * $key3 + $key2 + $key3 + 3;
    $cleartext=decrypt($ciphertext, $public_key, $secret_key);
    64bit の範囲では、
    正確な計算が
    無理そう…
    ※7桁の7桁乗
    

    View Slide

21. decrypt 関数の修正⽅針
    ▌最終的に出したいのは $public_key で割った余りなので、
    合同式の計算の性質が利⽤できる︕
    n 𝑎 ≡ b, c ≡ 𝑑 のとき 𝑎b ≡ 𝑐𝑑
    $value ** $secret_key % $public_key
    

    View Slide

22. decrypt 関数の修正⽅針
    ▌𝑎! ≡ 𝑥 (mod 𝑛) を次のように計算できる
    n 𝑎" ≡ 𝑚"
    n 𝑎# ≡ 𝑎𝑚"
    ≡ 𝑚#
    n 𝑎$ ≡ 𝑎𝑚#
    ≡ 𝑚$
    n ・・・
    n 𝑎! ≡ 𝑎𝑚!%&
    ≡ 𝑚!
    ≡ 𝑥
    

    View Slide

23. decrypt 関数の修正⽅針
    ▌𝑎! ≡ 𝑥 (mod 𝑛) を次のように計算できる
    n 𝑎" ≡ 𝑚"
    n 𝑎# ≡ 𝑎𝑚"
    ≡ 𝑚#
    n 𝑎$ ≡ 𝑎𝑚#
    ≡ 𝑚$
    n ・・・
    n 𝑎! ≡ 𝑎𝑚!%&
    ≡ 𝑚!
    ≡ 𝑥
    𝑎を１回かけるごとに逐⼀𝑛で割った余りを求めて
    いけば、⼤きすぎる数(𝑎!)の計算を回避できる︕
    

    View Slide

24. decrypt 関数の修正⼀案
    foreach($ciphertext as $value) {
    $hex .= dechex($value ** $secret_key % $public_key);
    }
    for($i = 0; $i < count($ciphertext); $i++){
    $value = 1;
    for ($count = 0; $count < $secret_key; $count++){
    $value = $value * $ciphertext[$i] % $public_key;
    }
    $hex .= dechex($value);
    }
    

    View Slide

25. decrypt 関数の修正⼀案
    foreach($ciphertext as $value) {
    $hex .= dechex($value ** $secret_key % $public_key);
    }
    for($i = 0; $i < count($ciphertext); $i++){
    $value = 1;
    for ($count = 0; $count < $secret_key; $count++){
    $value = $value * $ciphertext[$i] % $public_key;
    }
    $hex .= dechex($value);
    }
    1回かけるたびに余りを
    求める、を繰り返す
    

    View Slide

26. getPHPerToken.php（さいご）
    if(substr(md5($cleartext),0,30) === "97097d30ceb203d46ab08edf0308ba") {
    echo "PHPerToken is #" . $cleartext;
    } else {
    echo "Failed to get PHPerToken...";
    }
    あとは実⾏するだけなので、
    ぜひ⾃分の⼿で答えを確認してみてください︕
    

    View Slide

27. getPHPerToken.php の元ネタ
    ▌RSA 暗号です︕
    ▌秘密鍵を計算するための⼿がかりを取得した後、
    それを⽤いて RSA 暗号を解くというストーリーになっていました
    

    View Slide

28. こたえ✐
    さっさと答え教えて︕という⽅向け
    

    View Slide

29. こたえ
    

    View Slide