1. 直接用VBDecompiler分析
分析反编译出来的代码, 穷举一下发现没有结果, 掉坑里了
2. 分析pcode改动
修改OEP为0x00001090, OD加载, 还原OEP为0x00000000, 在0x400000处新建EIP
(检测调试器什么的就不贴出来了)
00401090 > 68 90754000 push 00407590
00401095 E8 667D0000 call 00408E00
00408E00 50 push eax
00408EE0 52 push edx
00408E20 16 push ss
00408EC0 17 pop ss
00408EC1 9C pushfd
00408E40 5F pop edi
00408EA0 81E7 00010000 and edi, 100
00408E60 C1EF 08 shr edi, 8
00408E90 47 inc edi
00408E80 B8 78780000 mov eax, 7878
00408E50 66:F7E7 mul di
00408EB0 BF 78014100 mov edi, 00410178
00408ED0 2BF8 sub edi, eax
00408E30 5A pop edx
00408E70 58 pop eax
00408E10 57 push edi ; 00408900
00408EF0 C3 retn
00408900 50 push eax
004088F4 B8 26FFBFFF mov eax, FFBFFF26
00408908 F7D0 not eax
00408911 8B00 mov eax, dword ptr [eax] ; 004000D9(address of oep + 1)
004088EA C1E0 03 shl eax, 3
0040891A 83F0 57 xor eax, 57
004088DF A3 E5884000 mov dword ptr [4088E5], eax
004088E4 /E9 57000000 jmp 00408940
00408940 58 pop eax
00408948 68 46114000 push 00401146
0040116D C3 retn
00401146 60 pushad
00408F01 64:8B0D 3000000>mov ecx, dword ptr fs:[30]
00408F28 0FB649 02 movzx ecx, byte ptr [ecx+2]
00408F45 33C0 xor eax, eax
00408F47 40 inc eax
00408F48 2BC1 sub eax, ecx
00408F63 66:B9 0400 mov cx, 4
0040880B 66:F7E1 mul cx
0040880E 3005 27844000 xor byte ptr [408427], al
0040882D 3005 41844000 xor byte ptr [408441], al
0040884C 3005 93844000 xor byte ptr [408493], al
0040886B 66:B9 0600 mov cx, 6
00408888 66:F7E1 mul cx
0040888B 3005 CB844000 xor byte ptr [4084CB], al
004088AA 3005 7B854000 xor byte ptr [40857B], al
00408CC7 61 popad
00408CD6 68 88104000 push <jmp.&MSVBVM60.#100>
0040116D C3 retn
共有5处改动
408427: AB(AddR8) -> AF(SubR4)
408441: AB(AddR8) -> AF(SubR4)
408493: AB(AddR8) -> AF(SubR4)
4084CB: 6C(FStFPR8 var_x) -> 74(FStFPR8 var_y)
40857B: 74(FStFPR8 var_y) -> 6C(FStFPR8 var_x)
3. 穷举
c=1711722997.0
条件1:
sqrt(2*(c^2)*(a^2)-(b^4)-(c^4)+2*(c^2)*(b^2)+2*(a^2)*(b^2)-(a^4))*0.5/(c+a+b)
=sqrt((c+a+b)*(c+(a)-b)*(c+(b)-a)*(a+(b)-c))*0.5/(c+a+b)
=373414231.362502
条件2:
(c*a*b)/sqrt((c+a+b)*(c+(a)-b)*(c+(b)-a)*(a+(b)-c))
=874402299.931726
from math import *
import sys
import itertools
c=1711722997.000000
r1=373414231.362502
s_r1='373414231.36'
r2=874402299.931726
# sqrt(pow(c,2)*2*pow(a,2) - pow(b,4) - pow(c,4) + pow(c,2)*2 * pow(b,2) + pow(a,2)*2*pow(b,2) - pow(a,4))*0.5/(c+a+b)
# sqrt((c+a+b)*(c+(a)-b)*(c+(b)-a)*(a+(b)-c))*0.5/(c+a+b)
# == r1
# (c*a*b)/sqrt((c+a+b)*(c+(a)-b)*(c+(b)-a)*(a+(b)-c))
# == r2
def calc_v(c,a,b):
return (c+a+b)*(c+(a)-b)*(c+(b)-a)*(a+(b)-c)
def calc_r1(a,b):
return sqrt(calc_v(c,a,b))*0.5/(c+a+b)
def calc_r2(a,b):
return(c*a*b)/sqrt(calc_v(c,a,b))
def check(a,b):
v=calc_v(c,a,b)
#print(v)
if (v>0):
m=sqrt(v)*0.5/(c+a+b)
#print(m)
if (str(m).startswith(s_r1)):
print('----')
print(a)
print(b)
print('%x%x'%(int(a),int(b)))
return True
return False
def solve(ibegin,iend):
print('start='+str(ibegin)+', end='+str(iend))
g=0
i=ibegin-1
for kk in itertools.count(1):
i=i+1
if (i>=iend):
break
g=g+1
if (g>=1000000):
g=0
print(i)
a=i+0.0
k=c*a/r2 - 2*r1
if (k>0):
b=2*r1*(c+a)/k
if (a>b):
b=round(b)
if(check(a,b)):
return
return
ibegin=int(sys.argv[1])
iend=int(sys.argv[2])
solve(ibegin,iend)
'''
python test.py 0 4294967296
----
1587167000.0
1043855616
5e9a3f183e37f900
'''
4. matlab解法(参考其他人的, 这里备份一下)
syms b
syms c
a=1711722997.0
r=373414231.362502
R=874402299.931726
eq1=a*b*c-R*sqrt((a+b+c)*(a+(b)-c)*(a+(c)-b)*(b+(c)-a))
eq2=2*r*(a+b+c)-sqrt((a+b+c)*(a+(b)-c)*(a+(c)-b)*(b+(c)-a))
[b,c]=solve(eq1,eq2,b>c,c>0,b,c)
b=round(vpa(b))
c=round(vpa(c))
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界