-
-
ctf2018-第7题
-
2018-6-28 19:50 2290
-
根据字符串取sn索引
abcdefghijklmnopqrstuvwxyz+-ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789 abcdefghijklmnop 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F
根据下表取sn
0043FCBC 01 01 01 00 00 00 00 00 00 00 00 00 00 00 00 00 0043FCCC 01 00 00 01 01 00 00 00 00 00 00 00 00 00 00 00 0043FCDC 01 00 00 00 00 01 01 00 00 00 00 00 00 00 00 00 0043FCEC 00 01 00 00 00 01 00 01 00 00 00 00 00 00 00 00 0043FCFC 00 01 00 00 01 00 01 00 00 00 00 00 00 00 00 00 0043FD0C 00 00 01 01 00 00 00 00 01 00 00 00 00 00 00 00 0043FD1C 00 00 01 00 01 00 00 00 00 01 00 00 00 00 00 00 0043FD2C 00 00 00 01 00 00 00 01 00 00 01 00 00 00 00 00 0043FD3C 00 00 00 00 00 01 00 00 01 00 00 00 01 00 00 00 0043FD4C 00 00 00 00 00 00 01 00 00 00 00 01 00 01 00 00 0043FD5C 00 00 00 00 00 00 00 01 00 00 00 00 01 01 00 00 0043FD6C 00 00 00 00 00 00 00 00 00 01 00 01 00 00 01 00 0043FD7C 00 00 00 00 00 00 00 00 01 00 01 00 00 00 01 00 0043FD8C 00 00 00 00 00 00 00 00 00 01 01 00 00 00 00 01 0043FD9C 00 00 00 00 00 00 00 00 00 00 00 01 01 00 00 01 0043FDAC 00 00 00 00 00 00 00 00 00 00 00 00 00 01 01 01 indices: 00 01 02 03 04 00 05 06 00 05 07 01 04 06 01 08 02 03 09 02 04 07 0A 03 08 0C 05 0B 0D 06 0C 0D 07 0B 0E 09 0E 08 0A 0F 09 0A 0F 0B 0C 0F 0D 0E
取表, 循环19次, 得到的结果与目标串比较
p1: 3E 1C 14 28 20 06 28 23 1E 2F 01 25 1B 23 13 03 ... pn: 19 31 3F 3A 26 13 32 31 3E 2F 36 1F 15 2E 08 0C char map[64][64][64]; .data:0040FEF0 buf_expected .data:0040FEE0
void print(unsigned char *s, int len) { if (NULL == s) { return; } for (int i = 0; i < len; i++) { ::printf("%02X",s[i]); } printf("\n"); } void x_reverse_map(PBYTE buf_map_rev, PBYTE buf_map, int len) { for (int i = 0; i < len; i++) { buf_map_rev[buf_map[i]] = (BYTE)i; } } void test_map_rev() { string data; string data_rev; util::LoadFile(data, "map.txt"); data_rev.resize(data.size()); PBYTE buf_map = (PBYTE)data.c_str(); PBYTE buf_map_rev = (PBYTE)data_rev.c_str(); for (size_t i = 0; i < data.size(); i+=64) { x_reverse_map(buf_map_rev + i, buf_map + i, 64); } util::SaveFile(data_rev, "map_rev.txt"); } void test() { string data; string data_rev; util::LoadFile(data, "map.txt"); util::LoadFile(data_rev, "map_rev.txt"); PBYTE buf_map = (PBYTE)data.c_str(); PBYTE buf_map_rev = (PBYTE)data_rev.c_str(); typedef struct t_value_raw { BYTE v0; BYTE v1; BYTE v2; BYTE reserved; }value_raw; typedef struct t_value_info { value_raw v[4096]; int b0_indices[64][64]; int b1_indices[64][64]; int b2_indices[64][64]; void get_b0(BYTE& b0, BYTE b1, BYTE b2) { for (int i = 0; i < 64; i++) { int index = b1_indices[b1][i]; if (v[index].v2 == b2) { b0 = v[index].v0; return; } } } void get_b1(BYTE b0, BYTE& b1, BYTE b2) { for (int i = 0; i < 64; i++) { int index = b0_indices[b0][i]; if (v[index].v2 == b2) { b1 = v[index].v1; return; } } } void get_b2(BYTE b0, BYTE b1, BYTE& b2) { for (int i = 0; i < 64; i++) { int index = b0_indices[b0][i]; if (v[index].v1 == b1) { b2 = v[index].v2; return; } } } void get_b01(BYTE& b0, BYTE& b1, BYTE b2, int index) { int k = b2_indices[b2][index]; b0 = v[k].v0; b1 = v[k].v1; } void get_b02(BYTE& b0, BYTE b1, BYTE& b2, int index) { int k = b1_indices[b1][index]; b0 = v[k].v0; b2 = v[k].v2; } void get_b12(BYTE b0, BYTE& b1, BYTE& b2, int index) { int k = b0_indices[b0][index]; b1 = v[k].v1; b2 = v[k].v2; } } value_info; typedef map<BYTE, value_info *> value_map; value_map m; int z; int i; for (z = 0; z< 64; z++) { value_info *vi = new value_info; m.insert(make_pair(z, vi)); int k = 0; int kk[3][64] = {0}; for (i = 0; i < (int)data_rev.size(); i+= 64) { DWORD v = i + buf_map_rev[i + z]; BYTE v0 = (BYTE)(v / 4096); v %= 4096; BYTE v1 = (BYTE)(v / 64); v %= 64; BYTE v2 = (BYTE)v; vi->v[k].v0 = v0; vi->v[k].v1 = v1; vi->v[k].v2 = v2; //printf("%02X%02X%02X\n", v0, v1, v2); vi->b0_indices[v0][kk[0][v0]++] = k; vi->b1_indices[v1][kk[1][v1]++] = k; vi->b2_indices[v2][kk[2][v2]++] = k; ++k; } //printf("========\n"); } BYTE buf_expected[16] = { 0x14, 0x22, 0x1E, 0x10, 0x38, 0x30, 0x18, 0x10, 0x04, 0x1A, 0x24, 0x08, 0x02, 0x26, 0x38, 0x2A, }; BYTE buf[16] = {0}; value_info *pv[16]; for (int uuu = 0; uuu < 19; uuu++) { for (i = 0;i < 16; i++) { pv[i] = m[buf_expected[i]]; } for (int i0=0; i0 < 4096; i0++) { buf[0] = pv[0]->v[i0].v0; buf[1] = pv[0]->v[i0].v1; buf[2] = pv[0]->v[i0].v2; for (int i1 = 0; i1 < 64; i1++) { pv[1]->get_b01(buf[3], buf[4], buf[0], i1); pv[4]->get_b1(buf[4], buf[6], buf[1]); pv[5]->get_b0(buf[8], buf[2], buf[3]); pv[6]->get_b0(buf[9], buf[2], buf[4]); pv[2]->get_b0(buf[5], buf[6], buf[0]); pv[3]->get_b1(buf[5], buf[7], buf[1]); pv[7]->get_b1(buf[7], buf[0x0A], buf[3]); pv[8]->get_b1(buf[8], buf[0x0C], buf[5]); pv[0x0A]->get_b1(buf[0x0C], buf[0x0D], buf[0x07]); pv[0x0C]->get_b0(buf[0x0E], buf[8], buf[0x0A]); BYTE v_0B = 0; BYTE v_0B_1 = 0; pv[9]->get_b0(v_0B, buf[0x0D], buf[6]); pv[0x0B]->get_b0(v_0B_1, buf[0x0E], buf[9]); if (v_0B != v_0B_1) { continue; } buf[0x0B] = v_0B; pv[0x0D]->get_b0(buf[0x0F], buf[9], buf[0x0A]); if (buf_map[buf[0x0F]*64*64+buf[0x0B]*64+buf[0x0C]] != buf_expected[0x0E]) { continue; } if (buf_map[buf[0x0F]*64*64+buf[0x0D]*64+buf[0x0E]] != buf_expected[0x0F]) { continue; } print(buf, sizeof(buf)); goto L_SUCCESS; } } L_SUCCESS: memcpy(buf_expected, buf, 16); } char char_map[] = "abcdefghijklmnopqrstuvwxyz+-ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"; char sz_sn[256] = {0}; for (i = 0; i < 16; i++) { sz_sn[i] = char_map[buf[i]]; } printf("%s\n", sz_sn); for (z = 0; z < 64; z++) { delete m[z]; } printf("end\n"); } int _tmain(int argc, _TCHAR* argv[]) { //test_map_rev(); test(); return 0; }
阿里云助力开发者!2核2G 3M带宽不限流量!6.18限时价,开 发者可享99元/年,续费同价!
最后于 2018-6-28 19:51
被风间仁编辑
,原因:
赞赏
他的文章
KCTF2022春季赛 第三题 石像病毒
8417
KCTF2022春季赛 第二题 末日邀请
15585
KCTF2021秋季赛 第二题 迷失丛林
18143
KCTF2020秋季赛 第十题 终焉之战
8265
KCTF2020秋季赛 第九题 命悬一线
5960
看原图
赞赏
雪币:
留言: