-
-
看雪CTF2019Q1-第5题
-
2019-3-18 22:58
1763
-
1. 去掉第6位和第12位的V, base64解码验证
.text:00402652 x_on_check
0: bmdeTH8Xb2unTHN5TSVhTQ -> no, wrong sn!!!!
1: bWzXZSB3b3JrTHRvTGRvTQ -> more work to do!
2: sWE9LCBjb3JXZWNwTHN5TQ -> yes, correct sn!
3: c24aZGzlc24n8CB3b3JrTQ -> sn doesn't work!
int __cdecl x_on_check(HWND hDlg)
{
...
GetDlgItemTextA(hDlg, 1000, sz_user, 3); //O
sn_len = GetDlgItemTextA(hDlg, 1001, sz_sn, 255);
x_get_string(0, Text);
b64_len = 0;
err_count = 0;
if ( sn_len < 12 )
err_count = 1;
// sn[0]与s[1]不能同时为A
if ( sz_sn[0] == 'A' && sz_sn[1] == 'A' )
++err_count;
// sn[5]与sn[11]必须为V
if ( sz_sn[5] != 'V' || sz_sn[11] != 'V' )
++err_count;
for ( i = 0; i < sn_len; ++i )
{
if ( i != 5 && i != 11 )
{
if ( !isalnum(sz_sn[i]) )
{
err_count += 3;
break;
}
b64[b64_len++] = sz_sn[i];
}
}
if ( !err_count )
{
...
// ABCyVPGHTJKLMNOFQRSIUEWDYZgbc8sfah1jklmnopqret5v0xX9wi234u67dz+/
x_init_my_b64_table(80, v10, 0x40u);
x_global_b64_init(v10);
plain_len = x_global_b64_decode((unsigned __int8 *)b64, plain);
x_global_b64_encode((unsigned __int8 *)plain, b64_2, plain_len);
if ( plain[0] )
{
if ( !memcmp(b64_2, b64, b64_len) )
{
v7 = x_4024E1(100, v5, plain, plain_len);
// 根据提示, 这里 v7 == 2 时成功
x_get_string(v7, Text);
}
}
}
MessageBoxA(hDlg, Text, Text, 0);
return 0;
}
2. 验证
小于100的素数: 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47, 53, 59, 61, 67, 71, 73, O, 83, 89, 97
P=3*5*...*73=0x41CD66ACC237B22681A18067
验证 sn ^ 83 mod P == 2
int __cdecl x_4024E1(int v, int a2, char *buf, int buf_len)
{
// 得到v以内的素数
n = x_get_primes(v, v7);
x_bn_new(&v10);
x_bn_new(&v8);
x_bn_set_int((int)&v10, 0);
x_bn_set_int((int)&bn, 0);
v4 = 1;
x_bn_set_int((int)&v11, 1);
x_bn_set_int((int)&v8, v7[0]);
x_bn_from_buf((int)&bn, (int)buf, buf_len);
r = x_bn_get_int((int)&v10);
if ( n > 1 )
{
v5 = &v7[1];
while ( *v5 != a2 )
{
if ( *v5 )
x_bn_mul_int((int)&v11, (int)&v11, *v5);
++v4;
++v5;
if ( v4 >= n )
goto LABEL_9;
}
n = v7[v4 + 1];
}
LABEL_9:
if ( x_bn_cmp(&bn, &v8) >= 0 && x_bn_cmp(&bn, &v11) <= 0 )
{
x_bn_powmod((int)&v10, (int)&bn, n, (int)&v11);
if ( x_bn_cmp(&v10, &v8) >= 0 && x_bn_cmp(&v10, &v11) <= 0 )
r = x_bn_get_int((int)&v10);
}
return r;
}
3. 计算
Y=G^X MOD P
G=Y^(X^(-1) MOD Phi) MOD P
因为P是素数的乘积, 所以Phi(P)=(3-1)*(5-1)*...*(73-1)=0x1096a01dd6dc59ca00000000
得到G=0x1555D30F38B0DBCAEC83C0F9
base64编码G得到: PEDIy9102dreadyu
得到flag: PEDIyV9102dVreadyu
[培训]二进制漏洞攻防(第3期);满10人开班;模糊测试与工具使用二次开发;网络协议漏洞挖掘;Linux内核漏洞挖掘与利用;AOSP漏洞挖掘与利用;代码审计。
