-
-
ctf2018-第8题
-
2018-7-1 13:54 2220
-
进制转换36/62/64/256
struct buf {
BYTE len0;
BYTE len0_1; // len0_1 ==len0+4
BYTE len1;
BYTE len2;
BYTE r0[len0+4];
BYTE r1[len1];
BYTE r2[len2];
};
.text:00401A19 mov al, [edx]
.text:00401A1B cmp al, 1
.text:00401A1D jb loc_4023E6
.text:00401A23 cmp al, 18h
.text:00401A25 ja loc_4023E6
.text:00401A2B mov cl, [edx+1]
.text:00401A2E cmp cl, 1
.text:00401A31 mov byte ptr [ebp+var_14], cl
.text:00401A34 jb loc_4023E6
.text:00401A3A cmp cl, 18h
.text:00401A3D ja loc_4023E6
.text:00401A43 mov bl, [edx+2]
.text:00401A46 cmp bl, 1
.text:00401A49 jb loc_4023E6
.text:00401A4F cmp bl, 18h
.text:00401A52 ja loc_4023E6
.text:00401A58 mov cl, [edx+3]
.text:00401A5B cmp cl, 1
.text:00401A5E jb loc_4023E6
.text:00401A64 cmp cl, 18h
.text:00401A67 ja loc_4023E6
.text:00401A6D mov esi, [ebp+var_14]
.text:00401A70 and eax, 0FFh
.text:00401A75 and esi, 0FFh
.text:00401A7B lea edx, [eax+4]
.text:00401A7E cmp edx, esi
.text:00401A80 jnz loc_4023E6
.text:00401A86 and ecx, 0FFh
.text:00401A8C and ebx, 0FFh
.text:00401A92 add eax, ecx
.text:00401A94 mov ecx, [ebp+var_2C]
.text:00401A97 mov edx, [ecx+8]
.text:00401A9A lea eax, [ebx+eax+8]
.text:00401A9E cmp eax, edx
.text:00401AA0 jnz loc_4023E6v1=g_bn1, v2=g_bn2
.text:00401D21 push offset aWelcomeToBbsPe ; "welcome to bbs.pediy.com." .text:00401D26 push offset g_bn1 .text:00401D2B call x_from_basen .text:00401D30 mov edi, offset a0123456789abcd_0 ; .text:00401D35 or ecx, 0FFFFFFFFh .text:00401D38 xor eax, eax .text:00401D3A push 2Bh .text:00401D3C repne scasb .text:00401D3E not ecx .text:00401D40 push 2Dh .text:00401D42 dec ecx .text:00401D43 push offset a0123456789abcd_0 ; .text:00401D48 push ecx .text:00401D49 mov edi, offset aAuthorByLookhc ; "Author by Lookhc" .text:00401D4E or ecx, 0FFFFFFFFh .text:00401D51 repne scasb .text:00401D53 not ecx .text:00401D55 dec ecx .text:00401D56 push ecx .text:00401D57 push offset aAuthorByLookhc ; "Author by Lookhc" .text:00401D5C push offset g_bn2 .text:00401D61 call x_from_basen
校验r0[len0]
.text:00401DEB mov edx, [ebp+var_38] .text:00401DEE lea eax, [ebp+var_44] ; must return 1 .text:00401DF1 lea ecx, [ebp+var_3C] ; must return 0 .text:00401DF4 push eax .text:00401DF5 push ecx .text:00401DF6 mov edi, edx .text:00401DF8 or ecx, 0FFFFFFFFh .text:00401DFB xor eax, eax .text:00401DFD mov [ebp+var_3C], 64h .text:00401E04 mov [ebp+var_44], 0 .text:00401E0B repne scasb .text:00401E0D not ecx .text:00401E0F dec ecx .text:00401E10 push 5 .text:00401E12 push ecx .text:00401E13 push edx .text:00401E14 call sub_4010A0 ; must return 1
校验buf的crc
.text:00401E29 push ecx .text:00401E2A push edx .text:00401E2B push offset loc_401ABF .text:00401E30 push 6780h .text:00401E35 push 13114F0Dh .text:00401E3A push 1F6E1EA0h .text:00401E3F call sub_404A60 ; crc32(buf, 0) == 0 .text:00401E44 add esp, 1Ch .text:00401E47 mov [ebp+lpMem], eax ; must be 0
这个循环会校验 r0^n == r1^n+r2^n (n: 3~9), 这个肯定不成立
.text:00401EF2 cmp eax, 0Ah .text:00401EF5 jge loc_40210F .text:00401EFB test eax, eax .text:00401EFD jnz short loc_401F30 ... .text:004020FF call bn_compare .text:00402104 test eax, eax .text:00402106 jnz loc_4022E9 ; always jmp
异常处理
.text:004022E9 mov eax, [ebp+var_3C] ; must be 0 .text:004022EC test eax, eax .text:004022EE jnz short loc_402305 .text:004022F0 lea eax, [ebp+var_48] .text:004022F3 push offset __TI1H ; throw info for 'int' .text:004022F8 push eax .text:004022F9 mov [ebp+var_48], 1 .text:00402300 call __CxxThrowException@8 ; _CxxThrowException(x,x) .text:00402367 ; catch(...) // owned by 401EE8 .text:00402367 mov dword ptr [ebp-30h], 2 .text:0040236E mov eax, offset loc_40211C .text:00402373 retn .text:0040211C mov eax, [ebp-30h] .text:0040211F mov [ebp+var_4], 0FFFFFFFFh .text:00402126 cmp eax, 2 .text:00402129 jnz loc_402399
r1-r2=bn2
2*r1+4*r2=bn1
.text:00402189 call bn_add ... .text:004021BB call bn_compare .text:004021CE push 4 .text:004021D0 push edx .text:004021D1 call bn_int ... .text:004021F5 call bn_mul .text:004021FA lea ecx, [ebp+var_1970] .text:00402200 push 2 .text:00402202 push ecx .text:00402203 call bn_int ... .text:00402226 call bn_mul .text:0040222B mov ecx, 84h .text:00402230 mov esi, offset g_bn1 ... .text:0040225F call bn_add ... .text:0040228D call bn_rebase
crc32_table = [
0x00000000L, 0x77073096L, 0xee0e612cL, 0x990951baL, 0x076dc419L, 0x706af48fL, 0xe963a535L, 0x9e6495a3L,
0x0edb8832L, 0x79dcb8a4L, 0xe0d5e91eL, 0x97d2d988L, 0x09b64c2bL, 0x7eb17cbdL, 0xe7b82d07L, 0x90bf1d91L,
0x1db71064L, 0x6ab020f2L, 0xf3b97148L, 0x84be41deL, 0x1adad47dL, 0x6ddde4ebL, 0xf4d4b551L, 0x83d385c7L,
0x136c9856L, 0x646ba8c0L, 0xfd62f97aL, 0x8a65c9ecL, 0x14015c4fL, 0x63066cd9L, 0xfa0f3d63L, 0x8d080df5L,
0x3b6e20c8L, 0x4c69105eL, 0xd56041e4L, 0xa2677172L, 0x3c03e4d1L, 0x4b04d447L, 0xd20d85fdL, 0xa50ab56bL,
0x35b5a8faL, 0x42b2986cL, 0xdbbbc9d6L, 0xacbcf940L, 0x32d86ce3L, 0x45df5c75L, 0xdcd60dcfL, 0xabd13d59L,
0x26d930acL, 0x51de003aL, 0xc8d75180L, 0xbfd06116L, 0x21b4f4b5L, 0x56b3c423L, 0xcfba9599L, 0xb8bda50fL,
0x2802b89eL, 0x5f058808L, 0xc60cd9b2L, 0xb10be924L, 0x2f6f7c87L, 0x58684c11L, 0xc1611dabL, 0xb6662d3dL,
0x76dc4190L, 0x01db7106L, 0x98d220bcL, 0xefd5102aL, 0x71b18589L, 0x06b6b51fL, 0x9fbfe4a5L, 0xe8b8d433L,
0x7807c9a2L, 0x0f00f934L, 0x9609a88eL, 0xe10e9818L, 0x7f6a0dbbL, 0x086d3d2dL, 0x91646c97L, 0xe6635c01L,
0x6b6b51f4L, 0x1c6c6162L, 0x856530d8L, 0xf262004eL, 0x6c0695edL, 0x1b01a57bL, 0x8208f4c1L, 0xf50fc457L,
0x65b0d9c6L, 0x12b7e950L, 0x8bbeb8eaL, 0xfcb9887cL, 0x62dd1ddfL, 0x15da2d49L, 0x8cd37cf3L, 0xfbd44c65L,
0x4db26158L, 0x3ab551ceL, 0xa3bc0074L, 0xd4bb30e2L, 0x4adfa541L, 0x3dd895d7L, 0xa4d1c46dL, 0xd3d6f4fbL,
0x4369e96aL, 0x346ed9fcL, 0xad678846L, 0xda60b8d0L, 0x44042d73L, 0x33031de5L, 0xaa0a4c5fL, 0xdd0d7cc9L,
0x5005713cL, 0x270241aaL, 0xbe0b1010L, 0xc90c2086L, 0x5768b525L, 0x206f85b3L, 0xb966d409L, 0xce61e49fL,
0x5edef90eL, 0x29d9c998L, 0xb0d09822L, 0xc7d7a8b4L, 0x59b33d17L, 0x2eb40d81L, 0xb7bd5c3bL, 0xc0ba6cadL,
0xedb88320L, 0x9abfb3b6L, 0x03b6e20cL, 0x74b1d29aL, 0xead54739L, 0x9dd277afL, 0x04db2615L, 0x73dc1683L,
0xe3630b12L, 0x94643b84L, 0x0d6d6a3eL, 0x7a6a5aa8L, 0xe40ecf0bL, 0x9309ff9dL, 0x0a00ae27L, 0x7d079eb1L,
0xf00f9344L, 0x8708a3d2L, 0x1e01f268L, 0x6906c2feL, 0xf762575dL, 0x806567cbL, 0x196c3671L, 0x6e6b06e7L,
0xfed41b76L, 0x89d32be0L, 0x10da7a5aL, 0x67dd4accL, 0xf9b9df6fL, 0x8ebeeff9L, 0x17b7be43L, 0x60b08ed5L,
0xd6d6a3e8L, 0xa1d1937eL, 0x38d8c2c4L, 0x4fdff252L, 0xd1bb67f1L, 0xa6bc5767L, 0x3fb506ddL, 0x48b2364bL,
0xd80d2bdaL, 0xaf0a1b4cL, 0x36034af6L, 0x41047a60L, 0xdf60efc3L, 0xa867df55L, 0x316e8eefL, 0x4669be79L,
0xcb61b38cL, 0xbc66831aL, 0x256fd2a0L, 0x5268e236L, 0xcc0c7795L, 0xbb0b4703L, 0x220216b9L, 0x5505262fL,
0xc5ba3bbeL, 0xb2bd0b28L, 0x2bb45a92L, 0x5cb36a04L, 0xc2d7ffa7L, 0xb5d0cf31L, 0x2cd99e8bL, 0x5bdeae1dL,
0x9b64c2b0L, 0xec63f226L, 0x756aa39cL, 0x026d930aL, 0x9c0906a9L, 0xeb0e363fL, 0x72076785L, 0x05005713L,
0x95bf4a82L, 0xe2b87a14L, 0x7bb12baeL, 0x0cb61b38L, 0x92d28e9bL, 0xe5d5be0dL, 0x7cdcefb7L, 0x0bdbdf21L,
0x86d3d2d4L, 0xf1d4e242L, 0x68ddb3f8L, 0x1fda836eL, 0x81be16cdL, 0xf6b9265bL, 0x6fb077e1L, 0x18b74777L,
0x88085ae6L, 0xff0f6a70L, 0x66063bcaL, 0x11010b5cL, 0x8f659effL, 0xf862ae69L, 0x616bffd3L, 0x166ccf45L,
0xa00ae278L, 0xd70dd2eeL, 0x4e048354L, 0x3903b3c2L, 0xa7672661L, 0xd06016f7L, 0x4969474dL, 0x3e6e77dbL,
0xaed16a4aL, 0xd9d65adcL, 0x40df0b66L, 0x37d83bf0L, 0xa9bcae53L, 0xdebb9ec5L, 0x47b2cf7fL, 0x30b5ffe9L,
0xbdbdf21cL, 0xcabac28aL, 0x53b39330L, 0x24b4a3a6L, 0xbad03605L, 0xcdd70693L, 0x54de5729L, 0x23d967bfL,
0xb3667a2eL, 0xc4614ab8L, 0x5d681b02L, 0x2a6f2b94L, 0xb40bbe37L, 0xc30c8ea1L, 0x5a05df1bL, 0x2d02ef8dL
]
crc32_table_highest_byte_map = [-1] * 256
for i in range(256):
crc32_table_highest_byte_map[(crc32_table[i] >> 24) & 0xFF] = i
def array_to_int(k, base):
v = 0
n = 1
for _ in k:
v += n * _
n *= base
return v
def int_to_array(v, base):
r = []
while v != 0:
r.append(v % base)
v = v / base
return r
def str_to_int(s, char_map): # type:(str,str) -> int
r = []
for _ in s:
r.append(char_map.find(_))
return array_to_int(r, len(char_map))
def int_to_str(v, char_map): # type:(int,str) -> str
r = int_to_array(v, len(char_map))
s = ''
for _ in r:
s = char_map[_] + s
return s
def print_array(r):
s = ''
for _ in r:
s += ('%x' % _).zfill(2) + ' '
print s
return
def print_int(v, base):
r = int_to_array(v, base)
print_array(r)
return
def array_to_str(k):
s = ''
for _ in k:
s += chr(_)
return s
def str_to_array(s):
k = []
for _ in s:
k.append(ord(s))
return k
def crc32_update(k, crc):
for b in k:
crc = (crc >> 8) ^ crc32_table[b ^ (crc & 0xFF)]
return crc
def get_crc32_update_init_value(k, crc):
z = len(k) - 1
while z >= 0:
idx = crc32_table_highest_byte_map[(crc >> 24) & 0xFF]
crc = ((crc32_table[idx] ^ crc) << 8) | (idx ^ k[z])
z -= 1
return crc
def crc32(k, crc_init=0):
crc = crc_init
crc = (~crc) & 0xFFFFFFFF
crc = crc32_update(k, crc)
crc = (~crc) & 0xFFFFFFFF
return crc
def crc_RF(x):
return crc32_table_highest_byte_map[x]
def crc_F(x):
return (crc32_table[x] >> 24) & 0xFF
def crc_G(x):
return (crc32_table[x] >> 16) & 0xFF
def crc_H(x):
return (crc32_table[x] >> 8) & 0xFF
def crc_I(x):
return (crc32_table[x] >> 0) & 0xFF
def crack_crc(s_head, s_tail, crc_init, crc_final):
crc1 = (~crc_init) & 0xFFFFFFFF
crc1 = crc32_update(s_head, crc1)
crc2 = (~crc_final) & 0xFFFFFFFF
crc2 = get_crc32_update_init_value(s_tail, crc2)
# hxxps://bbs.pediy.com/thread-8699.htm
W = (crc2 >> 24) & 0xFF
X = (crc2 >> 16) & 0xFF
Y = (crc2 >> 8) & 0xFF
Z = (crc2 >> 0) & 0xFF
A = (crc1 >> 24) & 0xFF
B = (crc1 >> 16) & 0xFF
C = (crc1 >> 8) & 0xFF
D = (crc1 >> 0) & 0xFF
p = crc_RF(W)
o = crc_RF(X ^ crc_G(p))
n = crc_RF(Y ^ crc_G(o) ^ crc_H(p))
m = crc_RF(Z ^ crc_G(n) ^ crc_H(o) ^ crc_I(p))
d = m ^ D
c = n ^ C ^ crc_I(m)
b = o ^ B ^ crc_H(m) ^ crc_I(n)
a = p ^ A ^ crc_G(m) ^ crc_H(n) ^ crc_I(o)
return [d, c, b, a]
def check_crc_table():
print('xxstart')
k3 = [0] * 256
k2 = [0] * 256
k1 = [0] * 256
k0 = [0] * 256
for _ in range(256):
k3[(crc32_table[_] >> 24) & 0xFF] += 1
k2[(crc32_table[_] >> 16) & 0xFF] += 1
k1[(crc32_table[_] >> 8) & 0xFF] += 1
k0[(crc32_table[_] >> 0) & 0xFF] += 1
for _ in range(256):
if k3[_] != 1:
print('k3[%s]=%s' % (_, k3[_]))
# if k2[_] != 1:
# print('k2[%s]=%s' % (_, k2[_]))
# if k1[_] != 1:
# print('k1[%s]=%s' % (_, k1[_]))
# if k0[_] != 1:
# print('k0[%s]=%s' % (_, k0[_]))
print('xxend')
return
def x_401080(v):
if v == 0:
return 0
r = 1
while (v & 1) == 0:
v >>= 1
r *= 2
if v == 0:
return 0
return r
def x_4010A0(buf, bits):
a1 = 0
buf_len = (1 << bits) - 1
v_cnt0 = buf_len
v_cnt1 = 0
v_cnt2 = 0
_ = 0
for _ in range(buf_len):
c = buf[_]
v_cnt0_v = x_401080(v_cnt0)
v_cnt1_v = x_401080(v_cnt1)
v_cnt2_v = x_401080(v_cnt2)
_v_cnt0_v = v_cnt0_v if v_cnt0_v != 0 else 100
_v_cnt1_v = v_cnt1_v if v_cnt1_v != 0 else 100
_v_cnt2_v = v_cnt2_v if v_cnt2_v != 0 else 100
if c == 0:
if _v_cnt0_v >= _v_cnt1_v:
break
v_cnt0 -= v_cnt0_v
v_cnt1 += v_cnt0_v
a1 = v_cnt0_v
elif c == 1:
if _v_cnt0_v >= _v_cnt2_v:
break
v_cnt0 -= v_cnt0_v
v_cnt2 += v_cnt0_v
a1 = v_cnt0_v
elif c == 2:
if _v_cnt1_v >= _v_cnt0_v:
break
v_cnt0 += v_cnt1_v
v_cnt1 -= v_cnt1_v
a1 = v_cnt1_v
elif c == 3:
if _v_cnt1_v >= _v_cnt2_v:
break
v_cnt1 -= v_cnt1_v
v_cnt2 += v_cnt1_v
a1 = v_cnt1_v
elif c == 4:
if _v_cnt2_v >= _v_cnt0_v:
break
v_cnt0 += v_cnt2_v
v_cnt2 -= v_cnt2_v
a1 = v_cnt2_v
elif c == 5:
if _v_cnt2_v >= _v_cnt1_v:
break
v_cnt1 += v_cnt2_v
v_cnt2 -= v_cnt2_v
a1 = v_cnt2_v
r = False
a0 = v_cnt0
if _ == (buf_len - 1) and a0 == 0 and a1 == 1:
r = True
return [r, a0, a1]
def x_crack_part1_raw(buf, offset, cond0, cond1, vct_max, strict=False):
bits = 5
# buf[(1 << bits) - 1] == 0
i7_end = 6 if (offset != 0x18) else 1
vct = []
for i0 in range(6):
for i1 in range(6):
for i2 in range(6):
for i3 in range(6):
for i4 in range(6):
for i5 in range(6):
for i6 in range(6):
for i7 in range(i7_end):
buf[offset + 0] = i0
buf[offset + 1] = i1
buf[offset + 2] = i2
buf[offset + 3] = i3
buf[offset + 4] = i4
buf[offset + 5] = i5
buf[offset + 6] = i6
buf[offset + 7] = i7
r, a_0, a_1 = x_4010A0(buf, bits)
if strict:
ok = r
else:
ok = a_0 <= cond0 and (cond1 < 0 or a_1 <= cond1)
if ok:
v = [i0, i1, i2, i3, i4, i5, i6, i7]
if strict:
print('(%s): %s' % (len(vct), v))
vct.append(v)
if (vct_max > 0) and (len(vct) >= vct_max):
return vct
return vct
def x_crack_part1(count, use_cache=True):
buf = [0] * 32
print('crack_part1 0:8')
offset = 0
if use_cache:
vct0 = [[0, 1, 3, 0, 4, 5, 0, 1], ]
else:
vct0 = x_crack_part1_raw(buf, offset, 0x10, -1, 1)
print vct0
for _ in range(8):
buf[offset + _] = vct0[0][_]
print('crack_part1 8:0x10')
offset += 8
if use_cache:
vct1 = [[2, 1, 2, 4, 3, 0, 1, 3], ]
else:
vct1 = x_crack_part1_raw(buf, offset, 0x0F, -1, 1)
print vct1
for _ in range(8):
buf[offset + _] = vct1[0][_]
print('crack_part1 0x10:0x18')
offset += 8
if use_cache:
vct2 = [[0, 2, 0, 2, 0, 2, 0, 4], ]
else:
vct2 = x_crack_part1_raw(buf, offset, 0, 1, 1)
print vct2
for _ in range(8):
buf[offset + _] = vct2[0][_]
print('crack_part1 0x18:0x20')
offset += 8
vct3 = x_crack_part1_raw(buf, offset, 0, 1, count, strict=True)
r = []
for a in range(len(vct3)):
v = [_ for _ in buf]
for b in range(8):
v[offset + b] = vct3[a][b]
# print_array(v)
r.append(v)
return r
def x_gen_sn(k):
# char_map36 = 'abcdefghijklmnopqrstuvwxyz0123456789'
char_map62 = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz'
char_map64 = '0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz. '
r0_0 = []
for _ in range(0, len(k), 2):
r0_0 = [k[_ + 1] * 6 + k[_], ] + r0_0
v = array_to_int(r0_0, 36)
# print_int(v, 36)
# print int_to_str(v, char_map36)
r0_0 = int_to_array(v, 256)
r0_1 = [-1] * 4
r0 = r0_0 + r0_1
v1 = str_to_int('welcome to bbs.pediy.com.'[::-1], char_map64)
v2 = str_to_int('Author by Lookhc'[::-1], char_map64)
y = (v1 - v2 * 2) / 6
x = y + v2
r1 = int_to_array(x, 256)
r2 = int_to_array(y, 256)
k = [len(r0) - 4, len(r0), len(r1), len(r2)] + r0 + r1 + r2
r0_1 = crack_crc(k[0:len(r0)], k[4 + len(r0):], 0, 0)
r0 = r0_0 + r0_1
k = [len(r0) - 4, len(r0), len(r1), len(r2)] + r0 + r1 + r2
print int_to_str(array_to_int(k, 256), char_map62)
return
def test():
# count = 256
count = 2
ks = x_crack_part1(count, use_cache=True)
for _ in range(len(ks)):
x_gen_sn(ks[_])
return
test()
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
赞赏
|
|
|---|---|
|
|
他的文章
KCTF2022春季赛 第三题 石像病毒
8200
KCTF2022春季赛 第二题 末日邀请
15319
KCTF2021秋季赛 第二题 迷失丛林
17840
KCTF2020秋季赛 第十题 终焉之战
8021
KCTF2020秋季赛 第九题 命悬一线
5765
