2019看雪CTF总决赛第三题--第三题:街机少年WP
迷迷糊糊地突然发现题目要关闭了,心里好慌,赶紧刚一刚。
代码都能看懂,堆一块再加上查表,不知道在算什么,把算法py模拟一下,发现可以按字节爆破,那还管什么二次剩余,还管什么算法,直接上主要代码:
def crack():
k = []
for pos in range(96):
for i1 in range(0x101):
if i1 == 0x100:
flag = False
break
table_32 = [ 0x09, 0x1A, 0x0D, 0x04, 0x1F, 0x3E, 0x28, 0x47, 0x4B, 0x6F,
0x7D, 0x85, 0xA5, 0xCE, 0xFF, 0x05, 0x24, 0x4B, 0x6A, 0x8C,
0xA7, 0xE6, 0x19, 0x56, 0x6B, 0xB6, 0xC0, 0x04, 0x48, 0x8B,
0xC4, 0x14, ]
t = [ 0x03,0x07,0x07,0x04,0x05,0x06,0x07,0x08,0x09,0x0A,0x05,0x06,0x07,0x0E,0x0F,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,
0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00,]
n1 = get_n1((0x4b%16)+1)
idx = 5
key = k+[i1,0]
for i in range(len(key)-1):
flag = True
a = (key[i]&0xf)+1
b = ((key[i]>>4)&0xf)+1
flag1 = 0
if n1 and a != 0 and b != 0 and a <=16 and b <= 16:
a,_ = get_n2(n1,a)
tmp = get_n1(a)
b,flag1 = get_n2(tmp,b)
else:
flag = False
break
if flag1:
flag = False
break
n1 = get_n1(b)
v48 = b*table_32[t[a-1]-b]
for j in range(a,128):
v4 = 1 if t[j] == 0 else 0
v5 = (v4+table_4096[fun1(t[a-1],t[j],b)])*v48
tmp = 1 if v5 != 0 else 0
v48 = ((v5+1)&tmp)+v5
t[a-1] += (2*((v48+1)&1)-1)*b
if not v48:
flag = False
break
if set(t) == {0} and i == pos:
flag = True
break
c = (key[i+1]&0xf)+1
d = ((key[i]>>4)&0xf)+1
table_32[d/2] += c
table_32[d/2] = (table_32[d/2]%127)+1
tmp = table[(t[2]+t[1]+t[0])%16 | 16*t[2] | t[1]<<8 | t[0]<<12]
tmp = table[(t[4]+t[3]+tmp)%16 | 16*t[4] | t[3]<<8 | tmp<<12]
tmp = table[(t[6]+t[5]+tmp)%16 | 16*t[6] | t[5]<<8 | tmp<<12]
tmp = table[(t[8]+t[7]+tmp)%16 | 16*t[8] | t[7]<<8 | tmp<<12]
tmp = table[(t[10]+t[9]+tmp)%16 | 16*t[10] | t[9]<<8 | tmp<<12]
tmp = table[(t[12]+t[11]+tmp)%16 | 16*t[12] | t[11]<<8 | tmp<<12]
tmp = table[(t[14]+t[13]+tmp)%16 | 16*t[14] | t[13]<<8 | tmp<<12]
if tmp:
flag = False
break
# for j in range(15):
# if table_256[tmp|16*t[j]]&1:
# t[j] = table_256[tmp|16*t[j]] >> 1
# break
else:
while t[idx] == 0:
idx = (idx+4)%15
if t[idx] == 1:
t[idx] -= 1
else:
t[idx] -= (idx*idx+1)%t[idx]+1
idx = (idx+4)%15
for x in t[:15]:
if x < 0:
flag = False
if flag and i == pos:
break
if flag and i == pos:
k = key[:-1]
print k,t[:15]
break
if not flag:
print 'error'
exit(0)
if set(t) == {0}:
break
print enbase1(''.join(map(chr,k)))
def fun1(a,b,c):
t1 = (b>>2)^16*c&0xc0^4*a&0x3c^0xc7
t2 = (c&3^4*b)&0xf^2
return t2<<8|t1
def get_n1(n):
b = n
a = b
while True:
a = b
for i in range(1,16):
c = a
d = b
if a > b:
c = b
d = a
a = c*c % 17 ^ table_xor[d+(c-1)*(34-c)/2-c]
if a == 1 and i != 15:
b = (b+1)%16+1
a = 0
break
if a == 1:
break
return b
def get_n2(m,n):
count = 0
a = m
b = m
for i in range(1,n):
c = a
d = b
if a > b:
c = b
d = a
a = c*c % 17 ^ table_xor[d+(c-1)*(34-c)/2-c]
if a == 1 and i != n-1:
count += 1
return a,count
def enbase1(s):
l1 = len(s)/3
l2 = len(s)%3
r = ''
for i in range(l1):
a = ord(s[3*i])
b = ord(s[3*i+1])
c = ord(s[3*i+2])
r += chr((a>>2)+58)
r += chr((((a&0x3)<<4)|b>>4)+58)
r += chr((b&0xf)+(c>>2&0x30)+58)
r += chr((c&0x3f)+58)
if l2 == 1:
a = ord(s[3*l1])
r += chr((a>>2)+58)
r += chr(((a&0x3)<<4)+58)
r += 'z'
r += 'z'
if l2 == 2:
a = ord(s[3*l1])
b = ord(s[3*l1+1])
r += chr((a>>2)+58)
r += chr((((a&0x3)<<4)|b>>4)+58)
r += chr((b&0xf)+58)
r += 'z'
return r
crack()
[培训]《安卓高级研修班(网课)》月薪三万计划,掌握调试、分析还原ollvm、vmp的方法,定制art虚拟机自动化脱壳的方法
