-
-
[原创]第6题
-
2017-11-5 03:25 3149
-
16<=len(sn) <=24
.text:00402723 call edi ; getchar .text:00402725 cmp al, 0Ah .text:00402727 mov [esp+esi+104h+var_B4], al .text:0040272B jz short loc_402735 .text:0040272D add esi, 1 .text:00402730 cmp esi, 1Ch .text:00402733 jl short loc_402723 .text:00402735 mov [esp+esi+104h+var_B4], 0 .text:0040273A add esi, 0FFFFFFF0h .text:0040273D cmp esi, 8 .text:00402740 ja loc_4029DD
des加密, 其中多个常数表被替换
key="*2017*10" des_cbc_encrypt(sn, key) .text:00402771 call des_cbc_encrypt .data:0045AE9C PC1_Table .data:0045AED4 LOOP_Table .data:0045AEE4 PC2_Table .data:0045AF18 IP_Table .data:0045AF58 E_Table .data:0045AF88 P_Table .data:0045AFA8 IPR_Table .data:0045AFE8 S_Box
sn高4位与低4位与换, 转换为16进制字符串
.text:004027B0 push esi ... .text:00402806 jb short loc_4027B0
sn计算
.text:00402808 call mirvar ... .text:00402876 call sub_4022E0 big x = mirvar(0); big v = mirvar(173); big y = mirvar(1817); bytes_to_big(len, sn, x); multiply(x, v, x); fft_mult(x, y, y); power(y, 2, y); decr(y, 1001, y); v=mirvar(317) multiply(y, v, y); // 4022E0是用c的浮点函数计算的 sn=((sn*173*1817)^2-1001)*317 sn=reverse(sn)
lua jit计算
.text:004028F0 push offset aLuajit210Beta3 ; "luajit2.1.0-beta3" .text:004028F5 push 917h ; a3 .text:004028FA push offset byte_45A578 ; a2 .text:004028FF push esi ; a1 .text:00402900 call luaL_loadbuffer .text:00402905 push 0 .text:00402907 push 0 .text:00402909 push esi .text:0040290A call luaJIT_setmode .text:0040290F push 0 ; a4 .text:00402911 push 0 ; a3 .text:00402913 push 0 ; a2 .text:00402915 push esi ; a1 .text:00402916 call lua_pcall .text:0040291B add esp, 2Ch .text:0040291E test eax, eax .text:00402920 jnz short loc_40296F .text:00402922 push ebp .text:00402923 push esi .text:00402924 call lua_pushstring .text:00402929 push offset aXut ; "xut" .text:0040292E push 0FFFFD8EEh .text:00402933 push esi .text:00402934 call lua_setfield .text:00402939 push offset aMyst ; "myst" .text:0040293E push 0FFFFD8EEh .text:00402943 push esi .text:00402944 call lua_getfield .text:00402949 push 0 ; a4 .text:0040294B push 1 ; a3 .text:0040294D push 0 ; a2 .text:0040294F push esi ; a1 .text:00402950 call lua_pcall ... .text:00402986 push 0FFFFFFFFh ; a2 .text:00402988 push esi ; a1 .text:00402989 call lua_tonumber .text:0040298E add esp, 8 .text:00402991 test eax, eax .text:00402993 jz short loc_4029A2 .text:00402995 push 0FFFFFFFFh ; a2 .text:00402997 push esi ; a1 .text:00402998 call lua_tointeger .text:0040299D add esp, 8 .text:004029A0 jmp short loc_4029A6 .text:004029A2 mov eax, [esp+104h+var_F0] .text:004029A6 test eax, eax .text:004029A8 jz short loc_4029B1 xut=sn if myst()==1 then ok myst(): x=xut x+=101*1001+(10101+1001*99)*100 x*=983751509373 x-=1023*13+1203*13*14+1230*13*14*15+1231*13*14*15*16 x=(x+1)*2 expected=1574592838300862641516215149137548264158058079230003764126382984039489925466995870724568174393389905601620735902909057604303543552180706761904 if (x==expected) return 1 else return 0
lua jit分析
根据luaJIT_setmode定位到lj_dispatch_update函数 从lj_dispatch_update定位到lj_vm_asm_begin与lj_bc_ofs 在lj_vm_asm_begin+lj_bc_ofs[i]处下断, 分析各个bytecode的功能 .text:0040AFCE call lj_dispatch_update .text:0040ACA9 movzx esi, ds:lj_bc_ofs+96h .text:0040ACB0 movzx edi, ds:lj_bc_ofs+9Ch .text:0040ACB7 movzx ebp, ds:lj_bc_ofs+0A2h .text:0040ACBE movzx eax, ds:lj_bc_ofs+0AAh .text:0040ACC5 add esi, offset lj_vm_asm_begin .text:0040ACCB add edi, offset lj_vm_asm_begin .text:0040ACD1 add ebp, offset lj_vm_asm_begin .text:0040ACD7 add eax, offset lj_vm_asm_begin
KXCTF201710BYLoudy08
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
KCTF2022春季赛 第三题 石像病毒
8269
KCTF2022春季赛 第二题 末日邀请
15394
KCTF2021秋季赛 第二题 迷失丛林
17929
KCTF2020秋季赛 第十题 终焉之战
8100
KCTF2020秋季赛 第九题 命悬一线
5824
看原图