-
-
看雪CTF.TSRC 2018 团队赛-第8题
-
发表于: 2018-12-16 07:12 3184
-
1. 处理逻辑
BYTE sn[16+20]; check1验证前半部分, check2验证后半部分
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | .text:00402811 lea edx, [ebp+sn].text:00402814 push edx ; buf.text:00402815 lea eax, [ebp+str_sn].text:0040281B push eax ; a1.text:0040281C call hex_to_bin.text:00402821 add esp, 20h.text:00402824 cmp eax, 36.text:00402827 jnz short loc_402849.text:00402829 lea ecx, [ebp+sn].text:0040282C push ecx.text:0040282D call x_check1.text:00402832 add esp, 4.text:00402835 test eax, eax.text:00402837 jz short loc_402849.text:00402839 lea edx, [ebp+sn+10h].text:0040283C push edx.text:0040283D call x_check2 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | .text:00402811 lea edx, [ebp+sn].text:00402814 push edx ; buf.text:00402815 lea eax, [ebp+str_sn].text:0040281B push eax ; a1.text:0040281C call hex_to_bin.text:00402821 add esp, 20h.text:00402824 cmp eax, 36.text:00402827 jnz short loc_402849.text:00402829 lea ecx, [ebp+sn].text:0040282C push ecx.text:0040282D call x_check1.text:00402832 add esp, 4.text:00402835 test eax, eax.text:00402837 jz short loc_402849.text:00402839 lea edx, [ebp+sn+10h].text:0040283C push edx.text:0040283D call x_check2 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | .text:00402811 lea edx, [ebp+sn].text:00402814 push edx ; buf.text:00402815 lea eax, [ebp+str_sn].text:0040281B push eax ; a1.text:0040281C call hex_to_bin.text:00402821 add esp, 20h.text:00402824 cmp eax, 36.text:00402827 jnz short loc_402849.text:00402829 lea ecx, [ebp+sn].text:0040282C push ecx.text:0040282D call x_check1.text:00402832 add esp, 4.text:00402835 test eax, eax.text:00402837 jz short loc_402849.text:00402839 lea edx, [ebp+sn+10h].text:0040283C push edx.text:0040283D call x_check2 |
2. check1(主要是二元一次浮点运算), 得到sn前半部分: 76474B2B1926009C452B006272001902
test.cpp
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 | typedef struct tagPointF{ double x; double y;}PointF, *PPointF;double get_pi(){ double pi; *((DWORD64 *)&pi) = 0x400921FB5442771C; return pi;}string g_str_part1_expected = util::hex2bin("EEB9171C0B535640B08F207B1FCB53C03EDEDAB2D8CD5BC0C2E04F8024B8014028D9AE091D454D40BCBFB0BAA4103D40593D04F9440D494079F8577F3FE845402A3EB76F3D4943C09047A102410318C0FE3CD86E3FD2574074E505B84FEE37409355C67FA98D5F40CC052BFED1914BC048D363E2EE4244404009C744AB39354050B7F31ADCAB0F4054CC0B4B2BA02B40309FBBE1D42C504018CF21801F7026C00A5D83EA8655514094B7E265F3E24240B1215C0315E74840C001F6C35AAEF03F34EE29D023421F4084016925DD933D4058E4B88B3C46204038F87B858407274070161F32582318C0B8D55808C32F20C0546B434AF2893940D89E2FD10FA4FA3F");PPointF g_part1_expected = (PPointF)g_str_part1_expected.c_str();string g_str_pts_const1 = util::hex2bin("EE1926ACE715E43FC9F8493847E9E8BF36075F9A6DD5EEBFA81D8421FE1ED13F000000000000F03F075C143326A6B1BC000000000000F03F000000000000000036075F9A6DD5EEBFA81D8421FE1ED13F000000000000F03F0000000000000000AB8604B97D69E73F141BA89A86D0E5BF41B13E0865DAEF3F151D92D94880B8BF000000000000F03F075C143326A6B1BCAB8604B97D69E73F141BA89A86D0E5BF2F58C368100FEE3FEAC193588EF3D53F1869F1C5E9FAEF3F508B6EE7560AA23F000000000000F03F000000000000000041B13E0865DAEF3F151D92D94880B8BF1869F1C5E9FAEF3F508B6EE7560AA23F138D486D01E2ED3FC402F17478E4D6BF");PPointF g_pts_const1 = (PPointF)g_str_pts_const1.c_str();string g_str_pts_const2 = util::hex2bin("26B18B5A4F64EC3F19D8B235EB85DD3F000000000000F03F075C143326A6B1BC000000000000F03F00000000000000006F5AAE0BC8B7EB3F7A016B8D7DFBDF3F000000000000F03F075C143326A6B1BC6F5AAE0BC8B7EB3F7A016B8D7DFBDF3F96A95B1782F4EF3F258E251B341CAB3FCDE70F56B7D9EF3FC76F400E7CB8B8BF000000000000F03F000000000000000096A95B1782F4EF3F258E251B341CAB3FBC732036F7D2EF3F2C266CAF5ECEBA3FD4702B0AD39CEF3F8605EF9065DBC33F6F5AAE0BC8B7EB3F7A016B8D7DFBDF3FCDE70F56B7D9EF3FC76F400E7CB8B8BFD4702B0AD39CEF3F8605EF9065DBC33FB4ADFBFF5EC3E83FD93C046A9144E43F");PPointF g_pts_const2 = (PPointF)g_str_pts_const2.c_str();PointF g_pi_const1[2] = { { cos((0) * get_pi() / 2), sin((0) * get_pi() / 2) }, { cos((-1) * get_pi() / 2), sin((-1) * get_pi() / 2) },};PointF g_pi_const2[2] = { { cos((0) * get_pi() / 2), sin((0) * get_pi() / 2) }, { cos((1) * get_pi() / 2), sin((1) * get_pi() / 2) },};void x_p0(PPointF pts, PPointF pts_const, int count){ for (int i = 0; i < count; i++) { double x = pts[i].x; double y = pts[i].y; double m = pts_const[i].x; double n = pts_const[i].y; pts[i].x = x * m - y * n; pts[i].y = x * n + y * m; }}void x_p0_r(PPointF pts, PPointF pts_const, int count){ for (int i = 0; i < count; i++) { double x = pts[i].x; double y = pts[i].y; double m = pts_const[i].x; double n = pts_const[i].y; pts[i].x = (y * n + x * m) / (m * m + n * n); pts[i].y = (y * m - x * n) / (m * m + n * n); }}void x_p1_raw(PPointF pts, PPointF pts_const){ PointF p0; PointF p1; PointF p2; PointF p3; PointF c0 = pts_const[0]; PointF c1 = pts_const[1]; p0 = pts[0]; p1 = pts[1]; p2 = pts[2]; p3 = pts[3]; pts[0].x = p0.x + p2.x; pts[0].y = p0.y + p2.y; pts[1].x = p1.x + p3.x; pts[1].y = p1.y + p3.y; pts[2].x = p0.x - p2.x; pts[2].y = p0.y - p2.y; pts[3].x = p1.x - p3.x; pts[3].y = p1.y - p3.y; x_p0(pts + 2, &c0, 1); x_p0(pts + 3, &c1, 1); p0 = pts[0]; p1 = pts[1]; p2 = pts[2]; p3 = pts[3]; pts[0].x = p0.x + p1.x; pts[0].y = p0.y + p1.y; pts[1].x = p0.x - p1.x; pts[1].y = p0.y - p1.y; pts[2].x = p2.x + p3.x; pts[2].y = p2.y + p3.y; pts[3].x = p2.x - p3.x; pts[3].y = p2.y - p3.y; x_p0(pts + 1, &c0, 1); x_p0(pts + 3, &c0, 1); PointF tmp = pts[1]; pts[1] = pts[2]; pts[2] = tmp;}void x_p1_raw_r(PPointF pts, PPointF pts_const){ PointF tmp = pts[1]; pts[1] = pts[2]; pts[2] = tmp; PointF p0; PointF p1; PointF p2; PointF p3; PointF c0 = pts_const[0]; PointF c1 = pts_const[1]; x_p0_r(pts + 1, &c0, 1); x_p0_r(pts + 3, &c0, 1); p0 = pts[0]; p1 = pts[1]; p2 = pts[2]; p3 = pts[3]; pts[0].x = (p0.x + p1.x) / 2; pts[1].x = (p0.x - p1.x) / 2; pts[0].y = (p0.y + p1.y) / 2; pts[1].y = (p0.y - p1.y) / 2; pts[2].x = (p2.x + p3.x) / 2; pts[3].x = (p2.x - p3.x) / 2; pts[2].y = (p2.y + p3.y) / 2; pts[3].y = (p2.y - p3.y) / 2; x_p0_r(pts + 2, &c0, 1); x_p0_r(pts + 3, &c1, 1); p0 = pts[0]; p1 = pts[1]; p2 = pts[2]; p3 = pts[3]; pts[0].x = (p0.x + p2.x) / 2; pts[2].x = (p0.x - p2.x) / 2; pts[0].y = (p0.y + p2.y) / 2; pts[2].y = (p0.y - p2.y) / 2; pts[1].x = (p1.x + p3.x) / 2; pts[3].x = (p1.x - p3.x) / 2; pts[1].y = (p1.y + p3.y) / 2; pts[3].y = (p1.y - p3.y) / 2;}void x_p1(PPointF pts){ size_t i; PointF tmp[4][4]; for (i = 0; i < 4; i++) { tmp[0][i] = pts[4 * i + 0]; tmp[1][i] = pts[4 * i + 1]; tmp[2][i] = pts[4 * i + 2]; tmp[3][i] = pts[4 * i + 3]; } for (i = 0; i < 4; i++) { x_p1_raw(&tmp[i][0], g_pi_const1); } for (i = 0; i < 4; i++) { pts[4 * i + 0] = tmp[0][i]; pts[4 * i + 1] = tmp[1][i]; pts[4 * i + 2] = tmp[2][i]; pts[4 * i + 3] = tmp[3][i]; } for (i = 0; i < 4; i++) { x_p1_raw(pts + 4 * i, g_pi_const1); }}void x_p1_r(PPointF pts){ size_t i; PointF tmp[4][4]; for (i = 0; i < 4; i++) { x_p1_raw_r(pts + 4 * i, g_pi_const1); } for (i = 0; i < 4; i++) { tmp[0][i] = pts[4 * i + 0]; tmp[1][i] = pts[4 * i + 1]; tmp[2][i] = pts[4 * i + 2]; tmp[3][i] = pts[4 * i + 3]; } for (i = 0; i < 4; i++) { x_p1_raw_r(&tmp[i][0], g_pi_const1); } for (i = 0; i < 4; i++) { pts[4 * i + 0] = tmp[0][i]; pts[4 * i + 1] = tmp[1][i]; pts[4 * i + 2] = tmp[2][i]; pts[4 * i + 3] = tmp[3][i]; }}void x_p2_raw(PPointF pts, PPointF pts_const){ x_p1_raw(pts, pts_const); for (size_t i = 0; i < 4; i++) { pts[i].x /= 4; pts[i].y /= 4; }}void x_p2_raw_r(PPointF pts, PPointF pts_const){ for (size_t i = 0; i < 4; i++) { pts[i].x *= 4; pts[i].y *= 4; } x_p1_raw_r(pts, pts_const);}void x_p2(PPointF pts){ size_t i; PointF tmp[4][4]; for (i = 0; i < 4; i++) { x_p2_raw(pts + 4 * i, g_pi_const2); } for (i = 0; i < 4; i++) { tmp[0][i] = pts[4 * i + 0]; tmp[1][i] = pts[4 * i + 1]; tmp[2][i] = pts[4 * i + 2]; tmp[3][i] = pts[4 * i + 3]; } for (i = 0; i < 4; i++) { x_p2_raw(&tmp[i][0], g_pi_const2); } for (i = 0; i < 4; i++) { pts[4 * i + 0] = tmp[0][i]; pts[4 * i + 1] = tmp[1][i]; pts[4 * i + 2] = tmp[2][i]; pts[4 * i + 3] = tmp[3][i]; }}void x_p2_r(PPointF pts){ size_t i; PointF tmp[4][4]; for (i = 0; i < 4; i++) { tmp[0][i] = pts[4 * i + 0]; tmp[1][i] = pts[4 * i + 1]; tmp[2][i] = pts[4 * i + 2]; tmp[3][i] = pts[4 * i + 3]; } for (i = 0; i < 4; i++) { x_p2_raw_r(&tmp[i][0], g_pi_const2); } for (i = 0; i < 4; i++) { pts[4 * i + 0] = tmp[0][i]; pts[4 * i + 1] = tmp[1][i]; pts[4 * i + 2] = tmp[2][i]; pts[4 * i + 3] = tmp[3][i]; } for (i = 0; i < 4; i++) { x_p2_raw_r(pts + 4 * i, g_pi_const2); }}void test_part1(){ BYTE sn[16] = { 0x11, 0x11, 0x11, 0x11, 0x22, 0x22, 0x22, 0x22, 0x33, 0x33, 0x33, 0x33, 0x44, 0x44, 0x44, 0x44, }; BYTE map[16] = { 0x00, 0x09, 0x02, 0x0B, 0x0F, 0x04, 0x0D, 0x06, 0x0A, 0x03, 0x08, 0x01, 0x05, 0x0E, 0x07, 0x0C, }; size_t i; BYTE buf[16] = {0}; for (i = 0; i < 16; i++) { buf[map[i]] = sn[i]; } PointF pts[16] = {0}; for (i = 0; i < 16; i++) { pts[i].x = buf[i]; } x_p0(pts, g_pts_const1, 16); x_p1(pts); x_p0(pts, g_pts_const2, 16); x_p2(pts);}BYTE double_to_byte(double v){ BYTE ch = 0; char buf[256] = {0}; sprintf(buf, "%f", v); char *dot = strchr(buf, '.'); if (dot != NULL) { *dot = 0; ch = (BYTE)atoi(buf); } return ch;}string x_get_sn_part1(){ int i; PPointF pts = g_part1_expected; x_p2_r(pts); x_p0_r(pts, g_pts_const2, 16); x_p1_r(pts); x_p0_r(pts, g_pts_const1, 16); BYTE r_map[16] = {0}; for (i = 0; i < 16; i++) { BYTE row = (7 * (i / 4) + 2 * (i % 4)) % 4; BYTE col = (i / 4 + i % 4 + 2 * (i / 4)) % 4; r_map[4 * row + col] = i; } BYTE sn[16] = {0}; for (i = 0; i < 16; i++) { //printf("%f\n", pts[i].x); sn[r_map[i]] = double_to_byte(pts[i].x); } return util::bin2hex(sn, 16);} |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 | typedef struct tagPointF{ double x; double y;}PointF, *PPointF;double get_pi(){ double pi; *((DWORD64 *)&pi) = 0x400921FB5442771C; return pi;}string g_str_part1_expected = util::hex2bin("EEB9171C0B535640B08F207B1FCB53C03EDEDAB2D8CD5BC0C2E04F8024B8014028D9AE091D454D40BCBFB0BAA4103D40593D04F9440D494079F8577F3FE845402A3EB76F3D4943C09047A102410318C0FE3CD86E3FD2574074E505B84FEE37409355C67FA98D5F40CC052BFED1914BC048D363E2EE4244404009C744AB39354050B7F31ADCAB0F4054CC0B4B2BA02B40309FBBE1D42C504018CF21801F7026C00A5D83EA8655514094B7E265F3E24240B1215C0315E74840C001F6C35AAEF03F34EE29D023421F4084016925DD933D4058E4B88B3C46204038F87B858407274070161F32582318C0B8D55808C32F20C0546B434AF2893940D89E2FD10FA4FA3F");PPointF g_part1_expected = (PPointF)g_str_part1_expected.c_str();string g_str_pts_const1 = util::hex2bin("EE1926ACE715E43FC9F8493847E9E8BF36075F9A6DD5EEBFA81D8421FE1ED13F000000000000F03F075C143326A6B1BC000000000000F03F000000000000000036075F9A6DD5EEBFA81D8421FE1ED13F000000000000F03F0000000000000000AB8604B97D69E73F141BA89A86D0E5BF41B13E0865DAEF3F151D92D94880B8BF000000000000F03F075C143326A6B1BCAB8604B97D69E73F141BA89A86D0E5BF2F58C368100FEE3FEAC193588EF3D53F1869F1C5E9FAEF3F508B6EE7560AA23F000000000000F03F000000000000000041B13E0865DAEF3F151D92D94880B8BF1869F1C5E9FAEF3F508B6EE7560AA23F138D486D01E2ED3FC402F17478E4D6BF");PPointF g_pts_const1 = (PPointF)g_str_pts_const1.c_str();string g_str_pts_const2 = util::hex2bin("26B18B5A4F64EC3F19D8B235EB85DD3F000000000000F03F075C143326A6B1BC000000000000F03F00000000000000006F5AAE0BC8B7EB3F7A016B8D7DFBDF3F000000000000F03F075C143326A6B1BC6F5AAE0BC8B7EB3F7A016B8D7DFBDF3F96A95B1782F4EF3F258E251B341CAB3FCDE70F56B7D9EF3FC76F400E7CB8B8BF000000000000F03F000000000000000096A95B1782F4EF3F258E251B341CAB3FBC732036F7D2EF3F2C266CAF5ECEBA3FD4702B0AD39CEF3F8605EF9065DBC33F6F5AAE0BC8B7EB3F7A016B8D7DFBDF3FCDE70F56B7D9EF3FC76F400E7CB8B8BFD4702B0AD39CEF3F8605EF9065DBC33FB4ADFBFF5EC3E83FD93C046A9144E43F");PPointF g_pts_const2 = (PPointF)g_str_pts_const2.c_str();PointF g_pi_const1[2] = { { cos((0) * get_pi() / 2), sin((0) * get_pi() / 2) }, { cos((-1) * get_pi() / 2), sin((-1) * get_pi() / 2) },};PointF g_pi_const2[2] = { { cos((0) * get_pi() / 2), sin((0) * get_pi() / 2) }, { cos((1) * get_pi() / 2), sin((1) * get_pi() / 2) },};void x_p0(PPointF pts, PPointF pts_const, int count){ for (int i = 0; i < count; i++) { double x = pts[i].x; double y = pts[i].y; double m = pts_const[i].x; double n = pts_const[i].y; pts[i].x = x * m - y * n; pts[i].y = x * n + y * m; }}void x_p0_r(PPointF pts, PPointF pts_const, int count){ for (int i = 0; i < count; i++) { double x = pts[i].x; double y = pts[i].y; double m = pts_const[i].x; double n = pts_const[i].y; pts[i].x = (y * n + x * m) / (m * m + n * n); pts[i].y = (y * m - x * n) / (m * m + n * n); }}void x_p1_raw(PPointF pts, PPointF pts_const){ PointF p0; PointF p1; PointF p2; PointF p3; PointF c0 = pts_const[0]; PointF c1 = pts_const[1]; p0 = pts[0]; p1 = pts[1]; p2 = pts[2]; p3 = pts[3]; pts[0].x = p0.x + p2.x; pts[0].y = p0.y + p2.y; pts[1].x = p1.x + p3.x; pts[1].y = p1.y + p3.y; pts[2].x = p0.x - p2.x; pts[2].y = p0.y - p2.y; pts[3].x = p1.x - p3.x; pts[3].y = p1.y - p3.y; x_p0(pts + 2, &c0, 1); x_p0(pts + 3, &c1, 1); p0 = pts[0]; p1 = pts[1]; p2 = pts[2]; p3 = pts[3]; pts[0].x = p0.x + p1.x; pts[0].y = p0.y + p1.y; pts[1].x = p0.x - p1.x; pts[1].y = p0.y - p1.y; pts[2].x = p2.x + p3.x; pts[2].y = p2.y + p3.y; pts[3].x = p2.x - p3.x; pts[3].y = p2.y - p3.y; x_p0(pts + 1, &c0, 1); x_p0(pts + 3, &c0, 1); PointF tmp = pts[1]; pts[1] = pts[2]; pts[2] = tmp;}void x_p1_raw_r(PPointF pts, PPointF pts_const){ PointF tmp = pts[1]; pts[1] = pts[2]; pts[2] = tmp; PointF p0; PointF p1; PointF p2; PointF p3; PointF c0 = pts_const[0]; PointF c1 = pts_const[1]; x_p0_r(pts + 1, &c0, 1); x_p0_r(pts + 3, &c0, 1); p0 = pts[0]; p1 = pts[1]; p2 = pts[2]; p3 = pts[3]; pts[0].x = (p0.x + p1.x) / 2; pts[1].x = (p0.x - p1.x) / 2; pts[0].y = (p0.y + p1.y) / 2; pts[1].y = (p0.y - p1.y) / 2; pts[2].x = (p2.x + p3.x) / 2; pts[3].x = (p2.x - p3.x) / 2; pts[2].y = (p2.y + p3.y) / 2; pts[3].y = (p2.y - p3.y) / 2; x_p0_r(pts + 2, &c0, 1); x_p0_r(pts + 3, &c1, 1); p0 = pts[0]; p1 = pts[1]; p2 = pts[2]; p3 = pts[3]; pts[0].x = (p0.x + p2.x) / 2; pts[2].x = (p0.x - p2.x) / 2; pts[0].y = (p0.y + p2.y) / 2; pts[2].y = (p0.y - p2.y) / 2; pts[1].x = (p1.x + p3.x) / 2; pts[3].x = (p1.x - p3.x) / 2; pts[1].y = (p1.y + p3.y) / 2; pts[3].y = (p1.y - p3.y) / 2;}void x_p1(PPointF pts){ size_t i; PointF tmp[4][4]; for (i = 0; i < 4; i++) { tmp[0][i] = pts[4 * i + 0]; tmp[1][i] = pts[4 * i + 1]; tmp[2][i] = pts[4 * i + 2]; tmp[3][i] = pts[4 * i + 3]; } for (i = 0; i < 4; i++) { x_p1_raw(&tmp[i][0], g_pi_const1); } for (i = 0; i < 4; i++) { pts[4 * i + 0] = tmp[0][i]; pts[4 * i + 1] = tmp[1][i]; pts[4 * i + 2] = tmp[2][i]; pts[4 * i + 3] = tmp[3][i]; } for (i = 0; i < 4; i++) { x_p1_raw(pts + 4 * i, g_pi_const1); }}void x_p1_r(PPointF pts){ size_t i; PointF tmp[4][4]; for (i = 0; i < 4; i++) { x_p1_raw_r(pts + 4 * i, g_pi_const1); } for (i = 0; i < 4; i++) { tmp[0][i] = pts[4 * i + 0]; tmp[1][i] = pts[4 * i + 1]; tmp[2][i] = pts[4 * i + 2]; tmp[3][i] = pts[4 * i + 3]; } for (i = 0; i < 4; i++) { x_p1_raw_r(&tmp[i][0], g_pi_const1); } for (i = 0; i < 4; i++) { pts[4 * i + 0] = tmp[0][i]; pts[4 * i + 1] = tmp[1][i]; pts[4 * i + 2] = tmp[2][i]; pts[4 * i + 3] = tmp[3][i]; }}void x_p2_raw(PPointF pts, PPointF pts_const){ x_p1_raw(pts, pts_const); for (size_t i = 0; i < 4; i++) { pts[i].x /= 4; pts[i].y /= 4; }}void x_p2_raw_r(PPointF pts, PPointF pts_const){ for (size_t i = 0; i < 4; i++) { pts[i].x *= 4; pts[i].y *= 4; } x_p1_raw_r(pts, pts_const);}void x_p2(PPointF pts){ size_t i; PointF tmp[4][4]; for (i = 0; i < 4; i++) { x_p2_raw(pts + 4 * i, g_pi_const2); } for (i = 0; i < 4; i++) { tmp[0][i] = pts[4 * i + 0]; tmp[1][i] = pts[4 * i + 1]; tmp[2][i] = pts[4 * i + 2]; tmp[3][i] = pts[4 * i + 3]; } for (i = 0; i < 4; i++) { x_p2_raw(&tmp[i][0], g_pi_const2); } for (i = 0; i < 4; i++) { pts[4 * i + 0] = tmp[0][i]; pts[4 * i + 1] = tmp[1][i]; pts[4 * i + 2] = tmp[2][i]; pts[4 * i + 3] = tmp[3][i]; }}void x_p2_r(PPointF pts){ size_t i; PointF tmp[4][4]; for (i = 0; i < 4; i++) { tmp[0][i] = pts[4 * i + 0]; tmp[1][i] = pts[4 * i + 1]; tmp[2][i] = pts[4 * i + 2]; tmp[3][i] = pts[4 * i + 3]; } for (i = 0; i < 4; i++) { x_p2_raw_r(&tmp[i][0], g_pi_const2); } for (i = 0; i < 4; i++) { pts[4 * i + 0] = tmp[0][i]; pts[4 * i + 1] = tmp[1][i]; pts[4 * i + 2] = tmp[2][i]; pts[4 * i + 3] = tmp[3][i]; } for (i = 0; i < 4; i++) { x_p2_raw_r(pts + 4 * i, g_pi_const2); }}void test_part1(){ BYTE sn[16] = { 0x11, 0x11, 0x11, 0x11, 0x22, 0x22, 0x22, 0x22, 0x33, 0x33, 0x33, 0x33, 0x44, 0x44, 0x44, 0x44, }; BYTE map[16] = { 0x00, 0x09, 0x02, 0x0B, 0x0F, 0x04, 0x0D, 0x06, 0x0A, 0x03, 0x08, 0x01, 0x05, 0x0E, 0x07, 0x0C, }; size_t i; BYTE buf[16] = {0}; for (i = 0; i < 16; i++) { buf[map[i]] = sn[i]; } PointF pts[16] = {0}; for (i = 0; i < 16; i++) { pts[i].x = buf[i]; } x_p0(pts, g_pts_const1, 16); x_p1(pts); x_p0(pts, g_pts_const2, 16); x_p2(pts);}BYTE double_to_byte(double v){ BYTE ch = 0; char buf[256] = {0}; sprintf(buf, "%f", v); char *dot = strchr(buf, '.'); if (dot != NULL) { *dot = 0; ch = (BYTE)atoi(buf); } return ch;}string x_get_sn_part1(){ int i; PPointF pts = g_part1_expected; x_p2_r(pts); x_p0_r(pts, g_pts_const2, 16); x_p1_r(pts); x_p0_r(pts, g_pts_const1, 16); BYTE r_map[16] = {0}; for (i = 0; i < 16; i++) { BYTE row = (7 * (i / 4) + 2 * (i % 4)) % 4; BYTE col = (i / 4 + i % 4 + 2 * (i / 4)) % 4; r_map[4 * row + col] = i; } BYTE sn[16] = {0}; for (i = 0; i < 16; i++) { //printf("%f\n", pts[i].x); sn[r_map[i]] = double_to_byte(pts[i].x); } return util::bin2hex(sn, 16);} |
3. check2
(主要是AES256[修改过]解密和xxtea解密), 得到sn后半部分: 68740438FDCC641665D0EA735F2739B3EE7B315A
AES代码参见: _https://github.com/kokke/tiny-AES-c/blob/master/aes.c
原始xxtea代码参见: _https://github.com/xxtea/xxtea-c (没改动, 就不贴了)
AES改动的部分
(1) sbox及rsbox
赞赏记录
参与人
雪币
留言
时间
PLEBFE
为你点赞~
2022-7-27 22:35
飘零丶
为你点赞~
2022-7-17 03:23
Editor
为你点赞~
2018-12-24 15:48
赞赏
|
|
|---|---|
|
|
他的文章
- KCTF2022春季赛 第三题 石像病毒 9112
- KCTF2022春季赛 第二题 末日邀请 16450
- KCTF2021秋季赛 第二题 迷失丛林 19187
- KCTF2020秋季赛 第十题 终焉之战 9199
- KCTF2020秋季赛 第九题 命悬一线 6709
赞赏
雪币:
留言:
