-
-
[原创]KCTF2021秋季赛 迷失丛林
-
2021-11-18 17:48 15649
-
输入为32位,每两位转换为16进制数,校验分为两部分
第一部分
这里的算法是生成一个八层的二叉树,然后判断第八层节点中值为0,14,40,79的个数
二叉树生成逻辑如下
1 2 3 4 | tmp = [...] #程序内存的一个表,表的前八位是输入的前16位转换成的16进制数 父节点(parent) 左儿子(tmp[parent]) 右儿子(parent + 1 ) 根节点的值为 1 ~ 256 ,共 256 个二叉树 |
这里我推了一段时间发现是不可逆的(可能我太菜,欢迎大佬指正),只能爆破,因为在生成二叉树时可以索引到tmp表的所有成员,所以猜测只要爆破tmp表的前8个数即可,共8的阶乘种可能性,规模不大
第二部分
简单的换表加密,直接爆破
Code
part1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 | off = [ 0x00000002 , 0x00000004 , 0x00000008 , 0x00000010 , 0x00000020 , 0x00000040 , 0x80 ] table = [ 0x12 , 0x43 , 0x65 , 0x87 , 0x19 , 0x32 , 0x54 , 0x67 , 0xA2 , 0x9B , 0xF4 , 0xDF , 0xAC , 0x7C , 0xA1 , 0xC6 , 0x16 , 0xD0 , 0x0F , 0xDD , 0xDC , 0x73 , 0xC5 , 0x6B , 0xD1 , 0x96 , 0x47 , 0xC2 , 0x26 , 0x67 , 0x4E , 0x41 , 0x82 , 0x20 , 0x56 , 0x9A , 0x6E , 0x33 , 0x92 , 0x88 , 0x29 , 0xB5 , 0xB4 , 0x71 , 0xA9 , 0xCE , 0xC3 , 0x34 , 0x50 , 0x59 , 0xBF , 0x2D , 0x57 , 0x22 , 0xA6 , 0x30 , 0x04 , 0xB2 , 0xCD , 0x36 , 0xD5 , 0x68 , 0x4D , 0x5B , 0x45 , 0x9E , 0x85 , 0xCF , 0x9D , 0xCC , 0x61 , 0x78 , 0x32 , 0x76 , 0x31 , 0xE3 , 0x80 , 0xAD , 0x39 , 0x4F , 0xFA , 0x72 , 0x83 , 0x4C , 0x86 , 0x60 , 0xB7 , 0xD7 , 0x63 , 0x0C , 0x44 , 0x35 , 0xB3 , 0x7B , 0x19 , 0xD4 , 0x69 , 0x08 , 0x0B , 0x1F , 0x3D , 0x11 , 0x79 , 0xD3 , 0xEE , 0x93 , 0x42 , 0xDE , 0x23 , 0x3B , 0x5D , 0x8D , 0xA5 , 0x77 , 0x5F , 0x58 , 0xDB , 0x97 , 0xF6 , 0x7A , 0x18 , 0x52 , 0x15 , 0x74 , 0x25 , 0x62 , 0x2C , 0x05 , 0xE8 , 0x0D , 0x98 , 0x2A , 0x43 , 0xE2 , 0xEF , 0x48 , 0x87 , 0x49 , 0x1C , 0xCA , 0x2B , 0xA7 , 0x8A , 0x09 , 0x81 , 0xE7 , 0x53 , 0xAA , 0xFF , 0x6F , 0x8E , 0x91 , 0xF1 , 0xF0 , 0xA4 , 0x46 , 0x3A , 0x7D , 0x54 , 0xEB , 0x2F , 0xC1 , 0xC0 , 0x0E , 0xBD , 0xE1 , 0x6C , 0x64 , 0xBE , 0xE4 , 0x02 , 0x3C , 0x5A , 0xA8 , 0x9F , 0x37 , 0xAF , 0xA0 , 0x13 , 0xED , 0x1B , 0xEC , 0x8B , 0x3E , 0x7E , 0x27 , 0x99 , 0x75 , 0xAB , 0xFE , 0xD9 , 0x3F , 0xF3 , 0xEA , 0x70 , 0xF7 , 0x95 , 0xBA , 0x1D , 0x40 , 0xB0 , 0xF9 , 0xE5 , 0xF8 , 0x06 , 0xBC , 0xB6 , 0x03 , 0xC9 , 0x10 , 0x9C , 0x2E , 0x89 , 0x5C , 0x7F , 0xB1 , 0x1A , 0xD6 , 0x90 , 0xAE , 0xDA , 0xE6 , 0x5E , 0xB9 , 0x84 , 0xE9 , 0x55 , 0xBB , 0xC7 , 0x0A , 0xE0 , 0x66 , 0xF2 , 0xD8 , 0xCB , 0x00 , 0x12 , 0xB8 , 0x17 , 0x94 , 0x6A , 0x4A , 0x01 , 0x24 , 0x14 , 0x51 , 0x07 , 0x65 , 0x21 , 0xC8 , 0x38 , 0xFD , 0x8F , 0xC4 , 0xF5 , 0xFC ] def check(flag): global off byte_404220 = [ 0 ] * 512 v25 = [[ 0 for i in range ( 256 )] for i in range ( 256 )] v = 0 index = 1 while 1 : byte_404220[ 0 ] = flag[index - 1 ] byte_404220[ 1 ] = index % 256 tmp = 2 count = 0 for i in range ( len (off)): for k in range (off[i]): byte_404220[tmp] = flag[(byte_404220[count])& 0xff ] byte_404220[tmp + 1 ] = (byte_404220[count] + 1 ) % 256 count + = 1 tmp + = 2 for i in range ( 256 ): v25[v][byte_404220[count]] + = 1 count + = 1 v + = 1 index + = 1 if index> 256 : break v21 = 0 v22 = 0 v23 = 0 v24 = 0 for i in range ( 256 ): if v25[i][ 0 ]: v21 + = 1 if v25[i][ 40 - 26 ]: v22 + = 1 if v25[i][ 40 ]: v23 + = 1 if v25[i][ 40 + 39 ]: v24 + = 1 if v21 = = 169 and v22 = = 172 and v23 = = 167 and v24> 200 : return 1 return 0 def equal(a,b,c,d,e,f,g,h): if a = = b or a = = c or a = = d or a = = e or a = = f or a = = g or a = = h: return 1 if b = = c or b = = d or b = = e or b = = f or b = = g or b = = h: return 1 if c = = d or c = = e or c = = f or c = = g or c = = h: return 1 if d = = e or d = = f or d = = g or d = = h: return 1 if e = = f or e = = g or e = = h: return 1 if f = = g or f = = h: return 1 if g = = h: return 1 return 0 s = [ 0x1e , 0x28 , 0x4b , 0x6d , 0x8c , 0xa3 , 0xd2 , 0xfb ] for i in s: for j in s: for k in s: for l in s: for m in s: for n in s: for x in s: for y in s: if equal(i,j,k,l,m,n,x,y): continue table[ 0 ] = i table[ 1 ] = j table[ 2 ] = k table[ 3 ] = l table[ 4 ] = m table[ 5 ] = n table[ 6 ] = x table[ 7 ] = y if check(table): print ( hex (i), hex (j), hex (k), hex (l), hex (m), hex (n), hex (x), hex (y)) # b4d682c8bf2de13a |
part2
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | result = [ 0xC1 , 0x9B , 0x7F , 0x58 , 0x64 , 0xD5 , 0x77 , 0x21 , 0x74 , 0xEB , 0x14 , 0xBF , 0xDF , 0x25 , 0x5A , 0x37 , 0x85 , 0x2C , 0xAF , 0x8C , 0xDA , 0x26 , 0xE2 , 0x7A , 0x87 , 0x4C , 0x60 , 0x99 , 0x54 , 0x3C , 0x95 , 0xC0 , 0xB9 , 0x0C , 0xBC , 0x0E , 0xE7 , 0x2D , 0x86 , 0xBE , 0x67 , 0xD3 , 0xD8 , 0xFC , 0x30 , 0xB6 , 0xC8 , 0x57 , 0x1E , 0x62 , 0x3E , 0xCE , 0xA0 , 0xCD , 0xF5 , 0xEE , 0xA7 , 0xCF , 0x45 , 0xFE , 0xD0 , 0x80 , 0x05 , 0xAD , 0x13 , 0xF3 , 0xB7 , 0x6B , 0x22 , 0x2B , 0xBD , 0x69 , 0x42 , 0x4B , 0xA5 , 0xEA , 0xA6 , 0xD2 , 0x6F , 0x4F , 0x4E , 0x07 , 0xE1 , 0x36 , 0x01 , 0xB5 , 0xAA , 0xB1 , 0x94 , 0x0B , 0x35 , 0x3A , 0xC7 , 0x49 , 0x53 , 0x82 , 0xC3 , 0x7B , 0x32 , 0xFF , 0x19 , 0xC4 , 0xF1 , 0xC9 , 0xE8 , 0xF7 , 0x56 , 0x15 , 0xA3 , 0x46 , 0x89 , 0x43 , 0x9D , 0x8F , 0x20 , 0xEF , 0xBB , 0x2A , 0xCB , 0x09 , 0x93 , 0x4A , 0x1C , 0xE3 , 0x33 , 0xD1 , 0xE0 , 0x1D , 0x72 , 0x7C , 0x27 , 0xE9 , 0x17 , 0x28 , 0x6D , 0x6A , 0xD9 , 0x00 , 0x9A , 0xE5 , 0x63 , 0xDE , 0x23 , 0x9F , 0x0D , 0x47 , 0x3B , 0x65 , 0x08 , 0x84 , 0x6C , 0x1A , 0x88 , 0x12 , 0xA1 , 0xA4 , 0xB3 , 0x18 , 0x24 , 0x1B , 0xD7 , 0x44 , 0xDB , 0xAC , 0x6E , 0x7D , 0x51 , 0x5E , 0xED , 0x50 , 0xD6 , 0x11 , 0x5B , 0x9C , 0xB4 , 0x68 , 0x3D , 0x2F , 0x03 , 0x40 , 0xBA , 0x2E , 0xCA , 0x02 , 0xE6 , 0xA8 , 0xEC , 0x83 , 0x06 , 0x5D , 0xB8 , 0x4D , 0x97 , 0x66 , 0xF0 , 0xFB , 0x8A , 0x55 , 0xAB , 0xB2 , 0x04 , 0xFA , 0x0A , 0x31 , 0x71 , 0xCC , 0x8B , 0x73 , 0xA9 , 0x48 , 0x5C , 0xF9 , 0x98 , 0xE4 , 0xC6 , 0x34 , 0xC5 , 0x7E , 0x81 , 0x75 , 0x90 , 0x1F , 0x92 , 0x3F , 0x9E , 0x10 , 0x29 , 0x52 , 0x39 , 0xF4 , 0x41 , 0x78 , 0x5F , 0x16 , 0x79 , 0xC2 , 0xB0 , 0xDD , 0xF2 , 0x61 , 0x0F , 0x70 , 0xD4 , 0x91 , 0xDC , 0xF6 , 0xF8 , 0xFD , 0x59 , 0x38 , 0x8D , 0x96 , 0xAE , 0x8E , 0x76 , 0xA2 ] flag = [ 0x11 ] * 8 check1 = [ 0 ] * 8 for i in range ( 8 ): check1[i] = result[i] cmp = "GoodJob~" f = '' for m in range ( 8 ): for i in range ( 0xff ): flags = i for j in range ( 8 ): check1[j] = result[j] for j in range ( 9 ): for k in range ( 8 ): if j = = 8 : if k = = 0 or k = = 7 : check1[k] - = 1 else : if flags& 1 : check1[k] + = 1 else : check1[k] = result[check1[k]& 0xff ] if k = = m: flags = flags>> 1 if check1[m] = = ord ( cmp [m]): f + = str ( hex (i)[ 2 :].rjust( 2 , "0" )[:: - 1 ]) print (f) |
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
赞赏
他的文章
看原图