-
-
[原创]第六题 Repwn
-
2019-3-23 12:48
-
1.思路
仿佛没看到正确的地方,结合题目Repwn
很明显是利用漏洞
2.正文
貌似判断的后八位是这几个字母
更新后
直接用z3解
from z3 import *
s=Solver()
X=[''for i in range(8)]
r=Int('r')
for i in range(8):
t='X'+str(i)
X[i]=Int(t)
print X
for i in range(8):
s.add(And(X[i]>=0,X[i]<=9))
v1 = X[3] + 1000 * X[0] + 100 * X[1] + 10 * X[2]
v2 = X[5] + 10 * X[4]
v3 = X[7] + 10 * X[6]
r1 = 2 * (v1 + v2)
s.add(r1==4040)
r2= 3 * v2 / 2
s.add(r2 + 100 * v3 == 115)
s.add(v1 - 110 * v3 == 1900)
num=''
if s.check()==sat:
m=s.model()
#print m
for i in range(8):
num+=chr(int(str(m[X[i]]))+0x30)
print num
else:
print "No Solution!"
前八个
接着下面
这里应该就是溢出点呢!
那么要跳到哪里呢!
直接用这个找
可以计算到后面4个字符
‘HaCk’
所以跳转的就为
后面的好像还有判断但是听说就到这就可以提交了。
看了下后面的地方,菜鸡不知道用的什么算法!
好像都是一些进制转换之类的。
硬着头皮硬推了一下算法,但是其中有几个表好像不是单射的
也就是说只能正向求啊!!!!!!!
照理说应该是有多解的
// CrackMe-RePwn.cpp: 定义控制台应用程序的入口点。
//
#include "stdafx.h"
#include <stdlib.h>
unsigned char table[] =
{
0x0E, 0x04, 0x0D, 0x01, 0x02, 0x0F, 0x0B, 0x08, 0x03, 0x0A,
0x06, 0x0C, 0x05, 0x09, 0x00, 0x07, 0x00, 0x0F, 0x07, 0x04,
0x0E, 0x02, 0x0D, 0x01, 0x0A, 0x06, 0x0C, 0x0B, 0x09, 0x05,
0x03, 0x08, 0x04, 0x01, 0x0E, 0x08, 0x0D, 0x06, 0x02, 0x0B,
0x0F, 0x0C, 0x09, 0x07, 0x03, 0x0A, 0x05, 0x00, 0x0F, 0x0C,
0x08, 0x02, 0x04, 0x09, 0x01, 0x07, 0x05, 0x0B, 0x03, 0x0E,
0x0A, 0x00, 0x06, 0x0D, 0x0F, 0x01, 0x08, 0x0E, 0x06, 0x0B,
0x03, 0x04, 0x09, 0x07, 0x02, 0x0D, 0x0C, 0x00, 0x05, 0x0A,
0x03, 0x0D, 0x04, 0x07, 0x0F, 0x02, 0x08, 0x0E, 0x0C, 0x00,
0x01, 0x0A, 0x06, 0x09, 0x0B, 0x05, 0x00, 0x0E, 0x07, 0x0B,
0x0A, 0x04, 0x0D, 0x01, 0x05, 0x08, 0x0C, 0x06, 0x09, 0x03,
0x02, 0x0F, 0x0D, 0x08, 0x0A, 0x01, 0x03, 0x0F, 0x04, 0x02,
0x0B, 0x06, 0x07, 0x0C, 0x00, 0x05, 0x0E, 0x09, 0x0A, 0x00,
0x09, 0x0E, 0x06, 0x03, 0x0F, 0x05, 0x01, 0x0D, 0x0C, 0x07,
0x0B, 0x04, 0x02, 0x08, 0x0D, 0x07, 0x00, 0x09, 0x03, 0x04,
0x06, 0x0A, 0x02, 0x08, 0x05, 0x0E, 0x0C, 0x0B, 0x0F, 0x01,
0x0D, 0x06, 0x04, 0x09, 0x08, 0x0F, 0x03, 0x00, 0x0B, 0x01,
0x02, 0x0C, 0x05, 0x0A, 0x0E, 0x07, 0x01, 0x0A, 0x0D, 0x00,
0x06, 0x09, 0x08, 0x07, 0x04, 0x0F, 0x0E, 0x03, 0x0B, 0x05,
0x02, 0x0C, 0x07, 0x0D, 0x0E, 0x03, 0x00, 0x06, 0x09, 0x0A,
0x01, 0x02, 0x08, 0x05, 0x0B, 0x0C, 0x04, 0x0F, 0x0D, 0x08,
0x0B, 0x05, 0x06, 0x0F, 0x00, 0x03, 0x04, 0x07, 0x02, 0x0C,
0x01, 0x0A, 0x0E, 0x09, 0x0A, 0x06, 0x09, 0x00, 0x0C, 0x0B,
0x07, 0x0D, 0x0F, 0x01, 0x03, 0x0E, 0x05, 0x02, 0x08, 0x04,
0x03, 0x0F, 0x00, 0x06, 0x0A, 0x01, 0x0D, 0x08, 0x09, 0x04,
0x05, 0x0B, 0x0C, 0x07, 0x02, 0x0E, 0x02, 0x0C, 0x04, 0x01,
0x07, 0x0A, 0x0B, 0x06, 0x08, 0x05, 0x03, 0x0F, 0x0D, 0x00,
0x0E, 0x09, 0x0E, 0x0B, 0x02, 0x0C, 0x04, 0x07, 0x0D, 0x01,
0x05, 0x00, 0x0F, 0x0A, 0x03, 0x09, 0x08, 0x06, 0x04, 0x02,
0x01, 0x0B, 0x0A, 0x0D, 0x07, 0x08, 0x0F, 0x09, 0x0C, 0x05,
0x06, 0x03, 0x00, 0x0E, 0x0B, 0x08, 0x0C, 0x07, 0x01, 0x0E,
0x02, 0x0D, 0x06, 0x0F, 0x00, 0x09, 0x0A, 0x04, 0x05, 0x03,
0x0C, 0x01, 0x0A, 0x0F, 0x09, 0x02, 0x06, 0x08, 0x00, 0x0D,
0x03, 0x04, 0x0E, 0x07, 0x05, 0x0B, 0x0A, 0x0F, 0x04, 0x02,
0x07, 0x0C, 0x09, 0x05, 0x06, 0x01, 0x0D, 0x0E, 0x00, 0x0B,
0x03, 0x08, 0x09, 0x0E, 0x0F, 0x05, 0x02, 0x08, 0x0C, 0x03,
0x07, 0x00, 0x04, 0x0A, 0x01, 0x0D, 0x0B, 0x06, 0x04, 0x03,
0x02, 0x0C, 0x09, 0x05, 0x0F, 0x0A, 0x0B, 0x0E, 0x01, 0x07,
0x06, 0x00, 0x08, 0x0D, 0x04, 0x0B, 0x02, 0x0E, 0x0F, 0x00,
0x08, 0x0D, 0x03, 0x0C, 0x09, 0x07, 0x05, 0x0A, 0x06, 0x01,
0x0D, 0x00, 0x0B, 0x07, 0x04, 0x09, 0x01, 0x0A, 0x0E, 0x03,
0x05, 0x0C, 0x02, 0x0F, 0x08, 0x06, 0x01, 0x04, 0x0B, 0x0D,
0x0C, 0x03, 0x07, 0x0E, 0x0A, 0x0F, 0x06, 0x08, 0x00, 0x05,
0x09, 0x02, 0x06, 0x0B, 0x0D, 0x08, 0x01, 0x04, 0x0A, 0x07,
0x09, 0x05, 0x00, 0x0F, 0x0E, 0x02, 0x03, 0x0C, 0x0D, 0x02,
0x08, 0x04, 0x06, 0x0F, 0x0B, 0x01, 0x0A, 0x09, 0x03, 0x0E,
0x05, 0x00, 0x0C, 0x07, 0x01, 0x0F, 0x0D, 0x08, 0x0A, 0x03,
0x07, 0x04, 0x0C, 0x05, 0x06, 0x0B, 0x00, 0x0E, 0x09, 0x02,
0x07, 0x0B, 0x04, 0x01, 0x09, 0x0C, 0x0E, 0x02, 0x00, 0x06,
0x0A, 0x0D, 0x0F, 0x03, 0x05, 0x08, 0x02, 0x01, 0x0E, 0x07,
0x04, 0x0A, 0x08, 0x0D, 0x0F, 0x0C, 0x09, 0x00, 0x03, 0x05,
0x06, 0x0B
};
unsigned char d_table[16][48] =
{
0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x01, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00,
0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01,
0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00,
0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x00,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x01,
0x01, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01,
0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00,
0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00,
0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x01,
0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01,
0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00,
0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x01,
0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00,
0x01, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01,
0x01, 0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x01,
0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00,
0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01,
0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00,
0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00,
0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01,
0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00,
0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00,
0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01,
0x00, 0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01,
0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x01, 0x00, 0x01,
0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01,
0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01,
0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00,
0x01, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01,
0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01,
0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01,
0x01, 0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00,
0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01,
0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01,
0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01,
0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01,
0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00,
0x01, 0x01, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x01,
0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00,
0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x01, 0x01,
0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01,
0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01,
0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01,
0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x01,
0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01,
0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01,
0x01, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00,
0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x00,
0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01,
0x00, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x01,
0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00,
0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01,
0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01,
0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00,
0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01,
0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x01,
0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01,
0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01,
0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00,
0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00,
0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01,
0x01, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01,
0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00,
0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x00,
0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00,
0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00,
0x01, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01,
0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00,
0x01, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00,
0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00,
0x00, 0x01, 0x01, 0x00, 0x01, 0x00, 0x00, 0x01, 0x01, 0x01,
0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00
};
unsigned char t3[0x30] =
{
0x20, 0x01, 0x02, 0x03, 0x04, 0x05, 0x04, 0x05, 0x06, 0x07,
0x08, 0x09, 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0C, 0x0D,
0x0E, 0x0F, 0x10, 0x11, 0x10, 0x11, 0x12, 0x13, 0x14, 0x15,
0x14, 0x15, 0x16, 0x17, 0x18, 0x19, 0x18, 0x19, 0x1A, 0x1B,
0x1C, 0x1D, 0x1C, 0x1D, 0x1E, 0x1F, 0x20, 0x01
};
unsigned char t4[] =
{
0x10, 0x07, 0x14, 0x15, 0x1D, 0x0C, 0x1C, 0x11, 0x01, 0x0F,
0x17, 0x1A, 0x05, 0x12, 0x1F, 0x0A, 0x02, 0x08, 0x18, 0x0E,
0x20, 0x1B, 0x03, 0x09, 0x13, 0x0D, 0x1E, 0x06, 0x16, 0x0B,
0x04, 0x19
};
unsigned char calc_f[] =
{
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01,
0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01,
0x01, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01,
0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x01, 0x00,
0x00, 0x01, 0x01, 0x00
};
unsigned char F[64] =
{
0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x01, 0x00, 0x00, 0x01, 0x00, 0x00, 0x01, 0x00,
0x00, 0x01, 0x00, 0x01, 0x01, 0x00, 0x00, 0x01, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01,
0x01, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0x01, 0x00, 0x00,
0x00, 0x00, 0x00, 0x01, 0x01, 0x00, 0x01, 0x01, 0x01, 0x00, 0x00, 0x00, 0x01, 0x01, 0x01, 0x01
};
unsigned char dump[] = {
0x00,0x00,0x01,0x01,0x00,0x01,0x01,0x01,0x01,0x00,0x00,0x01,0x00,0x00,0x01,0x00
,0x00,0x01,0x00,0x01,0x01,0x00,0x00,0x01,0x01,0x00,0x00,0x00,0x01,0x01,0x01,0x01
,0x00,0x00,0x01,0x01,0x00,0x01,0x01,0x01,0x01,0x00,0x00,0x01,0x00,0x00,0x01,0x00
,0x00,0x01,0x00,0x01,0x01,0x00,0x00,0x01,0x01,0x00,0x00,0x00,0x01,0x01,0x01,0x01
};
unsigned char R[] = {
0x01,0x00,0x00,0x01,0x01,0x01,0x00,0x01,0x01,0x00,0x01,0x01,0x00,0x00,0x00,0x00
,0x01,0x00,0x00,0x00,0x00,0x01,0x00,0x00,0x01,0x00,0x01,0x00,0x01,0x01,0x00,0x00
,0x01,0x00,0x00,0x01,0x00,0x01,0x01,0x01,0x00,0x00,0x00,0x00,0x00,0x01,0x00,0x00
,0x00,0x00,0x00,0x01,0x01,0x01,0x01,0x00,0x00,0x00,0x01,0x01,0x00,0x00,0x00,0x00
};
unsigned char a0[0x40] =
{
0x28, 0x08, 0x30, 0x10, 0x38, 0x18, 0x40, 0x20, 0x27, 0x07,
0x2F, 0x0F, 0x37, 0x17, 0x3F, 0x1F, 0x26, 0x06, 0x2E, 0x0E,
0x36, 0x16, 0x3E, 0x1E, 0x25, 0x05, 0x2D, 0x0D, 0x35, 0x15,
0x3D, 0x1D, 0x24, 0x04, 0x2C, 0x0C, 0x34, 0x14, 0x3C, 0x1C,
0x23, 0x03, 0x2B, 0x0B, 0x33, 0x13, 0x3B, 0x1B, 0x22, 0x02,
0x2A, 0x0A, 0x32, 0x12, 0x3A, 0x1A, 0x21, 0x01, 0x29, 0x09,
0x31, 0x11, 0x39, 0x19
};
unsigned char a3[] =
{
0x3A, 0x32, 0x2A, 0x22, 0x1A, 0x12, 0x0A, 0x02, 0x3C, 0x34,
0x2C, 0x24, 0x1C, 0x14, 0x0C, 0x04, 0x3E, 0x36, 0x2E, 0x26,
0x1E, 0x16, 0x0E, 0x06, 0x40, 0x38, 0x30, 0x28, 0x20, 0x18,
0x10, 0x08, 0x39, 0x31, 0x29, 0x21, 0x19, 0x11, 0x09, 0x01,
0x3B, 0x33, 0x2B, 0x23, 0x1B, 0x13, 0x0B, 0x03, 0x3D, 0x35,
0x2D, 0x25, 0x1D, 0x15, 0x0D, 0x05, 0x3F, 0x37, 0x2F, 0x27,
0x1F, 0x17, 0x0F, 0x07
};
char Src[64] = { 0 };
char Src1[64] = { 0 };
char after_calc[0x30] = { 0 };
void changce(char *Dst, char *a2, unsigned char *a3, signed int Size)
{
char *v4; // esi
signed int i; // edx
v4 = a2;
char *t = (char *)malloc(sizeof(char)*Size);
memset(t, 0, Size);
for (i = 0; i < Size; ++i)
t[i] = v4[a3[i] - 1];
memcpy(Dst, t, Size);
free(t);
}
void xorf(char *c, char *a2, int size)
{
char *a2_1; // esi
int v4; // edx
char *a1; // ebx
for (int i = 0; i < size; i++) {
c[i] = c[i] ^ a2[i];
}
}
void changce_ni(char *a2, char *Dst, unsigned char *a3, signed int Size)
{
signed int i; // edx
char *t = (char *)malloc(sizeof(char)*Size);
memset(t,0, Size);
for (i = 0; i < Size; ++i)
t[a3[i] - 1] = Dst[i];
memcpy(a2, t, Size);
free(t);
//return memcpy(Dst, Src, Size);
}
void changce_ni_20h(char *a2, char *Dst, unsigned char *a3)
{
signed int i; // edx
char *t = (char *)malloc(sizeof(char)*0x20);
memset(t, 0, 0x20);
for (i = 0; i < 0x30; ++i)
t[a3[i] - 1] = Dst[i];
memcpy(a2, t, 0x20);
free(t);
//return memcpy(Dst, Src, Size);
}
unsigned int bin2dec(char *bin) {
char dec = 0;
dec = bin[3] + bin[2] * 2 + bin[1] * 2 * 2 + bin[0] * 2 * 2 * 2;
return dec;
}
void unkonw(char *pcalc_f_20, char *d_t_l)
{
char *v2; // edi
int i; // esi
char *dtl; // ebx
signed int k; // ebx
int v6; // ecx
signed int j; // [esp+8h] [ebp-10h]
v2 = pcalc_f_20;
i = 0;
dtl = d_t_l;
changce(after_calc, pcalc_f_20, t3, 0x30); // after_calc=0x408580
xorf(after_calc, dtl, 0x30);
j = 0;
do
{
k = 0;
v6 = table[16 * (4 * j + after_calc[i + 5] + 2 * after_calc[i])
+ 2 * (after_calc[i + 3] + 2 * (after_calc[i + 2] + 2 * after_calc[i + 1]))
+ after_calc[i + 4]];
printf("j=%d,unkonw-dec=%d\n",j, v6);
do
{
v2[4 * j - k++ + 3] = (v6 & 1) != 0; // v2=4085d0
v6 /= 2; // to_bin
} while (k <= 3);
++j;
i += 6;
} while (j <= 7);
changce(v2, v2, t4, 32);
}
int g = 0;
void unkonw_ni(char *pcalc_f_20, char *d_t_l)
{
char *v2; // edi
int i; // esi
char *dtl; // ebx
signed int k; // ebx
int v6; // ecx
signed int j; // [esp+8h] [ebp-10h]
unsigned char temp[0x30] = { 0 };
unsigned char temp_t[0x30] = { 0 };
int found = 0;
int s = 0;
v2 = pcalc_f_20;
i = 0;
dtl = d_t_l;
changce_ni(v2, v2, t4, 32);
j = 0;
do
{
int dec = bin2dec(v2);
//printf("j=%d,unkonw_ni-dec=%d\n",j, dec);
for (i = 0; i < 64; i++) {
if (dec == (int)table[64 * j + i]) {
found = i;
//printf("Found:j=%d,i=%d,s0=%d\n", j, i, 64 * j + i);
temp[4 + j * 6] = found % 2;
found = found / 2;
temp[j * 6 + 3] = found % 2;
found = found / 2;
temp[j * 6 + 2] = found % 2;
found = found / 2;
temp[j * 6 + 1] = found % 2;
found = found / 2;
temp[j * 6 + 5] = found % 2;
found = found / 2;
temp[j * 6] = found % 2;
memcpy(temp_t, temp, 0x30);
xorf((char *)temp_t, dtl, 0x30);
changce_ni_20h((char *)temp_t, (char *)temp_t, t3);
changce((char *)temp_t, (char *)temp_t, t3, 0x30);
xorf((char *)temp_t, dtl, 0x30);
if (memcmp(temp_t, temp, 0x20)==0) {
printf("Found\n");
g++;
break;
}
//break;
}
}
v2 += 4;
j++;
} while (j <= 7);
xorf((char *)temp, dtl, 0x30);
memcpy(after_calc,(char *)temp,0x30);
changce_ni_20h(after_calc, after_calc, t3);
//changce((char *)temp_t, (char *)temp_t, t3, 0x30);
//memcpy(pcalc_f_20, after_calc, 0x20);
}
//char calc_f[64] = { 0 };
int *p_calc_f_20h;
int *p_calc_f;
int tail_calc_f_dd[8] = { 0 };
void testfuc() {
unsigned char(*d_table_line)[48];
int v4;
int *v5;
p_calc_f_20h = (int *)&calc_f[0x20];
p_calc_f = (int *)calc_f;
// 15*48 table
d_table_line = d_table;
int i_1 = 14;
do
{
tail_calc_f_dd[0] = *p_calc_f_20h; // hou 8 ge hou 16 byte-> hou 20H byte xia yi 20H
tail_calc_f_dd[1] = p_calc_f_20h[1];
tail_calc_f_dd[2] = p_calc_f_20h[2];
tail_calc_f_dd[3] = p_calc_f_20h[3];
tail_calc_f_dd[4] = p_calc_f_20h[4];
tail_calc_f_dd[5] = p_calc_f_20h[5];
tail_calc_f_dd[6] = p_calc_f_20h[6];
tail_calc_f_dd[7] = p_calc_f_20h[7];
v4 = (int)d_table_line;
++d_table_line; // +0x30h
unkonw((char *)p_calc_f_20h, (char *)v4);
xorf ((char *)p_calc_f_20h, (char *)p_calc_f, 32);
--i_1;
v5 = p_calc_f;
*p_calc_f = tail_calc_f_dd[0];
v5[1] = tail_calc_f_dd[1];
v5[2] = tail_calc_f_dd[2];
v5[3] = tail_calc_f_dd[3];
v5[4] = tail_calc_f_dd[4];
v5[5] = tail_calc_f_dd[5];
v5[6] = tail_calc_f_dd[6];
v5[7] = tail_calc_f_dd[7];
} while (i_1 >= 0);
return;
}
void ni() {
unsigned char(*d_table_line)[48];
int v4;
int *v5;
p_calc_f_20h = (int *)&F[0x20];
p_calc_f = (int *)F;
// 15*48 table
d_table_line = d_table+14;
int i_1 = 14;
do
{
v5 = p_calc_f;
tail_calc_f_dd[0] = *p_calc_f;
tail_calc_f_dd[1] = v5[1];
tail_calc_f_dd[2] = v5[2];
tail_calc_f_dd[3] = v5[3];
tail_calc_f_dd[4] = v5[4];
tail_calc_f_dd[5] = v5[5];
tail_calc_f_dd[6] = v5[6];
tail_calc_f_dd[7] = v5[7];
v4 = (int)d_table_line;
--d_table_line; // +0x30h
unkonw_ni((char *)p_calc_f_20h, (char *)v4); // d_t_l=0x408040
xorf((char *)p_calc_f_20h, (char *)p_calc_f, 32);
--i_1;
*p_calc_f_20h = tail_calc_f_dd[0]; // hou 8 ge hou 16 byte-> hou 20H byte xia yi 20H
p_calc_f_20h[1] =tail_calc_f_dd[1];
p_calc_f_20h[2] = tail_calc_f_dd[2];
p_calc_f_20h[3] = tail_calc_f_dd[3];
p_calc_f_20h[4] = tail_calc_f_dd[4];
p_calc_f_20h[5] = tail_calc_f_dd[5];
p_calc_f_20h[6] = tail_calc_f_dd[6];
p_calc_f_20h[7] = tail_calc_f_dd[7];
} while (i_1 >= 0);
return;
}
void work() {
unsigned char(*d_table_line)[48];
int v4;
int *v5;
unsigned char temp[0x40] = { 0 };
p_calc_f_20h = (int *)&temp[0x20];
p_calc_f = (int *)temp;
// 15*48 table
d_table_line = d_table;
changce_ni((char *)temp, (char *)R, a0, 64);
xorf((char *)p_calc_f, (char *)p_calc_f_20h, 0x20);
unkonw_ni((char *)p_calc_f_20h, (char *)d_table[15]);
//unkonw((char *)p_calc_f_20h, (char *)d_table[15]);
int i_1 = 14;
do
{
v5 = p_calc_f;
tail_calc_f_dd[0] = *p_calc_f;
tail_calc_f_dd[1] = v5[1];
tail_calc_f_dd[2] = v5[2];
tail_calc_f_dd[3] = v5[3];
tail_calc_f_dd[4] = v5[4];
tail_calc_f_dd[5] = v5[5];
tail_calc_f_dd[6] = v5[6];
tail_calc_f_dd[7] = v5[7];
v4 = (int)d_table_line;
--d_table_line; // +0x30h
xorf((char *)p_calc_f_20h, (char *)p_calc_f, 32);
unkonw_ni((char *)p_calc_f_20h, (char *)v4); // d_t_l=0x408040
--i_1;
*p_calc_f_20h = tail_calc_f_dd[0]; // hou 8 ge hou 16 byte-> hou 20H byte xia yi 20H
p_calc_f_20h[1] = tail_calc_f_dd[1];
p_calc_f_20h[2] = tail_calc_f_dd[2];
p_calc_f_20h[3] = tail_calc_f_dd[3];
p_calc_f_20h[4] = tail_calc_f_dd[4];
p_calc_f_20h[5] = tail_calc_f_dd[5];
p_calc_f_20h[6] = tail_calc_f_dd[6];
p_calc_f_20h[7] = tail_calc_f_dd[7];
} while (i_1 >= 0);
changce_ni(Src1, (char *)temp, a3, 64);
unsigned char flag[16] = { 0 };
for (int i = 0; i < 8; i++) {
flag[i] = Src1[8 * i + 7] + Src1[8 * i + 6] * 2 + Src1[8 * i + 5] * 4 + Src1[8 * i + 4] * 8 + Src1[8 * i + 3] * 16 + Src1[8 * i + 2] * 32 + Src1[8 * i + 1] * 64 + Src1[8 * i] * 128;
}
printf("g=%d\n", g);
return;
}
int main()
{
//testfuc();
//ni();
work();
return 0;
}貌似其中的table表和其中几个表都不是单射的,怎么倒推啊!!!!!!!!!!!。只有正着来才有可能吧,而且可能出现多解吧.
[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界
|
|
|---|---|
