-
-
叹息之墙
-
2018-9-29 22:27 4067
-
1. sn输入(g_buf)
二进制像是ollvm处理过的, 直接跳到字符串提示的地方
.text:0040BFF3 lea eax, a2018D0D ; "看雪2018国庆题:叹息之墙\n\n正确的序列号由不超过%d整数构成,每个整数"... ... .text:0040C039 sub esp, 0Ch .text:0040C03C mov [esp], eax .text:0040C03F mov dword ptr [esp+4], 9 .text:0040C047 mov dword ptr [esp+8], 15Fh ... .text:0040C061 call x_printf .text:0040C066 add esp, 0Ch .text:0040C069 lea ecx, aXX0x1x23x45x67 ; "请按照顺序输入数字,用字符'x'隔开,用字符'X'结尾\n例如:0x1x23x"... .text:0040C06F sub esp, 4 .text:0040C072 mov [esp], ecx ... .text:0040C07B call x_printf .text:0040C080 add esp, 4 .text:0040C083 lea ecx, a1000s ; "%1000s" .text:0040C089 lea edx, g_buf .text:0040C08F mov edi, 400h .text:0040C094 sub esp, 0Ch .text:0040C097 mov [esp], ecx .text:0040C09A mov [esp+4], edx .text:0040C09E mov dword ptr [esp+8], 400h ... .text:0040C0B2 call x_scanf .text:0040C0B7 add esp, 0Ch .. .text:0040C0CE lea eax, g_buf .text:0040C0D4 mov g_pbuf, eax
2. 提取sn中的整数到g_ints[]
输入sn: 11x22x33x44X
因为二进制加了混淆, 看汇编的话太费时,
直接在stdio_common_vsscanf处下断, 观察读取格式
.text:0048A594 ___stdio_common_vsscanf proc near
断下时的堆栈1
0018C37C 00473EC5 RETURN to 1_nopie.00473EC5 from <1_nopie.stdio_common_vsscanf> 0018C380 00000003 0018C384 00000000 0018C388 004A0624 ASCII "11x22x33x44X" g_buf 0018C38C FFFFFFFF 0018C390 00498207 ASCII "%d%n" 0018C394 00000000 0018C398 0018CEA4 va_list ... 0018CEA4 0049FE40 offset <1_nopie.g_ints> 0018CEA8 0018CEAC
堆栈1
0018C380 00473EC5 RETURN to 1_nopie.00473EC5 from <1_nopie.stdio_common_vsscanf> 0018C384 00000003 0018C388 00000000 0018C38C 004A0626 ASCII "x22x33x44X" 0018C390 FFFFFFFF 0018C394 0049820C ASCII "%c" 0018C398 00000000 0018C39C 0018CEA8 .. 0018CEA8 0018CEBC 'x'
使用内存访问断点跟踪对0018CEBC的访问
.text:00413644 movzx ebx, byte ptr [ebx] .text:00413647 mov [esi+3040h], ebx ... .text:0041450C mov edx, [esi+3040h] .text:00414512 cmp edx, 'x' ... .text:0041452D mov edx, [esi+3040h] .text:00414533 cmp edx, 'x' ... .text:0041454E mov edx, [esi+3040h] .text:00414554 cmp edx, 'X'
3. 格式化g_ints[]到g_formatted_buf
查找g_ints的引用, 定位到格式化的地方
g_formatted_buf = fmt("%d", g_ints[0]) + fmt("x%d", g_ints[1:]) + "X" .text:0042E1D3 lea eax, aD ; "%d" .text:0042E1D9 lea ecx, g_formatted_buf ... .text:0042E2B4 call x_snprintf .text:0042E9CA lea eax, aXD ; "x%d" .text:0042E9D0 lea ecx, g_formatted_buf ... .text:0042EAC7 call x_snprintf .text:00432A70 lea eax, asc_498216 ; "X" .text:00432A76 lea ecx, g_formatted_buf ... .text:00432B8D call x_snprintf
4. 验证sn格式是否正确
.text:00432BCF sub esp, 8 ... .text:00432BD8 mov eax, esp .text:00432BDA mov dword ptr [eax+4], offset g_buf .text:00432BE1 mov dword ptr [eax], offset g_formatted_buf ... .text:00432BFF call _strcmp .text:00432C04 add esp, 8 .text:00432C07 cmp eax, 0
5. 验证sn中的整数是否从小到大排列
.text:0044028D mov ebx, g_ints[ebx*4] ... .text:004402F1 add eax, 1 ... .text:00440326 cmp ebx, g_ints[eax*4] .text:0044032D setnl dh
6. 计算sum(g_data_table[g_ints[n]])
在结果处下内存访问断点
.text:0044C19D mov eax, g_ints[eax*4] .text:0044C1A4 mov eax, g_data_table[eax*4] .text:0044C1AB mov ecx, [esi+3024h] .text:0044C1B1 mov edx, [ecx] .text:0044C1B3 mov ecx, [ecx+4] .text:0044C1B6 add edx, eax .text:0044C1B8 adc ecx, 0 .text:0044C1BB mov eax, [esi+3024h] .text:0044C1C1 mov [eax], edx .text:0044C1C3 mov [eax+4], ecx
7. 验证0x65757832 ^ sum % 0xFFA1CF8F == 0x6E616B34
.text:0044D176 mov ecx, [eax] .text:0044D178 mov eax, [eax+4] .text:0044D17B xor edx, edx .text:0044D17D mov edi, dword ptr a2xue4kan ; "2xue4kan" .text:0044D183 sub esp, 10h .text:0044D186 mov ebx, esp .text:0044D188 mov [ebx+0Ch], eax .text:0044D18B mov [ebx+8], ecx .text:0044D18E mov [ebx+4], edx .text:0044D191 mov [ebx], edi .text:0044D193 call x_powmod .text:0044D198 add esp, 10h .text:0044D19B mov ecx, 0B571D678h .text:0044D1A0 mov edx, 0E7210A91h .text:0044D1A5 mov bl, 1 .text:0044D1A7 xor edi, edi .text:0044D1A9 cmp eax, dword ptr a2xue4kan+4 ; "4kan"
8. 爆破sn
将g_data_table按从小到大排序
[15825810, 31651620, 47477430, ...]
31651620 = 15825810 * 2
47477430 = 15825810 * 3
将15825810记为known_x0, 找出g_data_table中所有不能被known_x0整除的数
将不能被整除的第1个数记为known_x1, 找出g_data_table中所有不能被known_x0, known_x1整除的数
...
如此循环可以得到如下9个数
2 * 3 * 5 * 7 * 11 * 13 * 17 * 31 = 15825810
2 * 3 * 5 * 7 * 11 * 13 * 17 * 271 = 138348210
2 * 3 * 5 * 7 * 11 * 13 * 31 * 271 = 252282030
2 * 3 * 5 * 7 * 11 * 17 * 31 * 271 = 329907270
2 * 3 * 5 * 7 * 13 * 17 * 31 * 271 = 389890410
2 * 3 * 5 * 11 * 13 * 17 * 31 * 271 = 612684930
2 * 3 * 7 * 11 * 13 * 17 * 31 * 271 = 857758902
2 * 5 * 7 * 11 * 13 * 17 * 31 * 271 = 1429598170
3 * 5 * 7 * 11 * 13 * 17 * 31 * 271 = 2144397255
能被known_x0整除的共270个
能被known_x1整除的共30个
能被known_x2整除的共16个
能被known_x3整除的共12个
能被known_x4整除的共10个
能被known_x5整除的共6个
能被known_x6整除的共4个
能被known_x7整除的共2个
能被known_x8整除的共1个
据此爆破即可得到sn: 17x27x60x97x133x161x243x292x309X
9. 爆破脚本
import itertools def test(): data_table = [ 3022729710, 2342219880, 1598406810, 3497504010, 2969165430, 2009877870, 3531948420, 3893149260, 3703239540, 3988104120, 807116310, 490600110, 3279666390, 205735530, 189909720, 1630058430, 3323420100, 2859196340, 1155284130, 3119123280, 2706213510, 1202761560, 2213571360, 3196813620, 4098884790, 2215613400, 696335640, 1171109940, 1245133890, 2089006920, 1838054790, 2943600660, 1218587370, 138348210, 126606480, 3086032950, 3873749880, 3180987810, 174083910, 2579607030, 1798526730, 1440148710, 1819968150, 1550929380, 3719065350, 1383482100, 2785342560, 3671587920, 2025703680, 3735401670, 3434200770, 1186935750, 2468826360, 3750716970, 3465852390, 4012098090, 269038770, 2484652170, 3370897530, 3676109580, 857758902, 443122680, 3165162000, 1503451950, 1962400440, 3639936300, 3766542780, 1487626140, 2639258160, 1765974210, 743813070, 47477430, 2152310160, 1471800330, 3244291050, 2959426470, 2801168370, 612684930, 142432290, 2911949040, 997026030, 2516303790, 2136484350, 522251730, 1645884240, 756846090, 2358045690, 1123632510, 1756664910, 427296870, 3182008830, 3956452500, 3038555520, 63303240, 2896123230, 3861497640, 1709187480, 1559561640, 949548600, 2263090830, 4130536410, 1424322900, 1535103570, 1946574630, 2389697310, 2573276706, 2453000550, 3275942670, 3784230450, 2775102330, 2018256240, 332342010, 1788316530, 538077540, 2309350890, 4257142890, 886245360, 1914923010, 3355071720, 2351919570, 2627084460, 389890410, 2729232870, 2832819990, 2769516750, 2927774850, 3687413730, 2168135970, 1028677650, 712161450, 411471060, 3149336190, 94954860, 2144397255, 4051407360, 2500477980, 1979443620, 1835793960, 252282030, 2278916640, 1804142340, 2674561890, 633032400, 4225491270, 348167820, 1250238990, 3908975070, 1044503460, 3481678200, 4162188030, 3877323450, 2490267780, 1660178520, 1614232620, 4178013840, 2880297420, 2690387700, 3509013690, 1107806700, 791290500, 2247265020, 2450739720, 3291768480, 3798194400, 1455974520, 585554970, 3133510380, 1521830310, 1408497090, 1566755190, 1266064800, 458948490, 237387150, 2642910270, 3212639430, 989721810, 1519277760, 2270538270, 3431035608, 1009128120, 1677535860, 2975252280, 3418374960, 933722790, 902071170, 2658736080, 569729160, 1012851840, 3513329820, 506425920, 395645250, 3063424650, 1060329270, 3386723340, 2041529490, 968437470, 329907270, 2628615990, 1313542230, 2722039320, 917896980, 2905312410, 3544981440, 3006903900, 3529155630, 474774300, 2547955410, 1329368040, 659814540, 3043660620, 1649536350, 1225369860, 1883271390, 3458705250, 727987260, 4067233170, 1582581000, 2816994180, 854593740, 1297716420, 779780820, 4150446300, 2563781220, 4114710600, 2104832730, 3814020210, 415044630, 2294742450, 1169671230, 2421348930, 316516200, 2595432840, 3608284680, 1106785680, 4036512480, 4019755740, 2532129600, 2766964200, 3655762110, 110780670, 3924800880, 2183961780, 2373871500, 553392840, 1978226250, 2405523120, 4209665460, 2991078090, 2437174740, 1139458320, 284864580, 3260116860, 759638880, 2057355300, 4241317080, 3299072700, 3054381330, 31651620, 1715517804, 3576633060, 838767930, 4193839650, 680509830, 830089260, 2522820300, 3628979970, 1867445580, 1392671280, 1076155080, 504564060, 1319629080, 1261410150, 3560807250, 2326394070, 870419550, 3101858760, 664684020, 965374410, 4003929930, 253212960, 601380780, 648858210, 3829846020, 3339245910, 221561340, 3898904100, 2231439210, 3320357040, 2310568260, 276696420, 1772490720, 1740839100, 3027384360, 691741050, 1725013290, 15825810, 300690390, 2075223150, 4035581550, 3734891160, 822942120, 2073181110, 2199787590, 3940626690, 1661710050, 2848645800, 1930748820, 3597053460, 3402549150, 3958887240, 3845671830, 981200220, 617206590, 775464690, 79129050, 158258100, 2737865130, 3307594290, 3624110490, 1936874940, 363993630, 1281890610, 1693361670, 4272968700, 1429598170, 3117684570, 3228465240, 4083058980, 1376845470, 1994052060, 3450026580, 379819440, 4146362220, 2120658540, 2339342460, 1361019660, 1091980890, 1234413180, 3972278310, 2611258650, 3592458870, 2753690940, 2864471610, 1513692180, 3782368590, 1949452050, 3070207140, 553903350, 1899097200, 1851619770, 1345193850, ] sorted_data_table = sorted(data_table) # print sorted_data_table known_x = [15825810, 138348210, 252282030, 329907270, 389890410, 612684930, 857758902, 1429598170, 2144397255] xx = [] for i in range(9): xx.append([]) for i in range(len(sorted_data_table)): is_unk = True z = -1 for k in range(len(known_x)): if (sorted_data_table[i] % known_x[k]) == 0: is_unk = False z = k break if is_unk: print('i: %s, v: %s' % (i, sorted_data_table[i])) else: xx[z].append(sorted_data_table[i]/known_x[z]) # for i in range(len(xx)): # print xx[i] print('start') for x in itertools.product(*xx): # x = [74, 4, 12L, 12L, 4, 4L, 1, 2L, 1] v = 0 for k in range(9): v += x[k] * known_x[k] if pow(0x65757832, v, 0xFFA1CF8F) == 0x6E616B34: print('got %s=%s' % (v, x)) r_i = [] for i in range(len(x)): r_i.append(data_table.index(x[i] * known_x[i])) r_s = 'x'.join([str(_) for _ in sorted(r_i)]) + 'X' print('sn: %s' % r_s) print('end') return test()
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
最后于 2018-9-29 22:37
被风间仁编辑
,原因:
赞赏
他的文章
KCTF2022春季赛 第三题 石像病毒
8229
KCTF2022春季赛 第二题 末日邀请
15354
KCTF2021秋季赛 第二题 迷失丛林
17883
KCTF2020秋季赛 第十题 终焉之战
8054
KCTF2020秋季赛 第九题 命悬一线
5793
看原图