首页
社区
课程
招聘
[原创][2020][KCTF]第二题 子鼠开天 wp
2020-4-16 13:27 2159

[原创][2020][KCTF]第二题 子鼠开天 wp

ccfer 活跃值
16
2020-4-16 13:27
2159
.text:00401380 sub_401380      proc near               ; CODE XREF: _main+C9↓p
.text:00401380
.text:00401380 var_70          = byte ptr -70h
.text:00401380 var_60          = byte ptr -60h
.text:00401380 var_5F          = byte ptr -5Fh
.text:00401380 var_51          = byte ptr -51h
.text:00401380 var_50          = byte ptr -50h
.text:00401380 var_40          = byte ptr -40h
.text:00401380 var_20          = byte ptr -20h
.text:00401380 arg_0           = dword ptr  4
.text:00401380 arg_4           = dword ptr  8
.text:00401380 arg_8           = dword ptr  0Ch
.text:00401380 arg_C           = dword ptr  10h
.text:00401380
.text:00401380                 sub     esp, 70h
.text:00401383                 push    esi
.text:00401384                 mov     esi, [esp+74h+arg_4]
.text:00401388                 cmp     esi, 3
.text:0040138B                 jb      loc_401456
.text:00401391                 cmp     esi, 14h                         //用户名长度3~20
.text:00401394                 ja      loc_401456
.text:0040139A                 cmp     [esp+74h+arg_C], 40h             //key长度=64
.text:004013A2                 jnz     loc_401456
.text:004013A8                 mov     ecx, [esp+74h+arg_8]
.text:004013AF                 lea     eax, [esp+74h+var_40]
.text:004013B3                 push    eax
.text:004013B4                 push    40h
.text:004013B6                 push    ecx
.text:004013B7                 call    sub_401000                       //hex2bytes
.text:004013BC                 add     esp, 0Ch
.text:004013BF                 cmp     eax, 20h
.text:004013C2                 jnz     loc_401449
.text:004013C8                 push    0                                //改成push 1加密变解密
.text:004013CA                 push    80h
.text:004013CF                 lea     edx, [esp+7Ch+var_20]
.text:004013D3                 push    offset unk_4190D0
.text:004013D8                 push    edx
.text:004013D9                 push    eax
.text:004013DA                 lea     eax, [esp+88h+var_40]
.text:004013DE                 push    eax
.text:004013DF                 call    sub_4010F0                       //加密算法,没看具体啥算法
.text:004013E4                 lea     ecx, [esp+8Ch+var_60]
.text:004013E8                 lea     edx, [esp+8Ch+var_20]
.text:004013EC                 push    ecx
.text:004013ED                 push    20h
.text:004013EF                 push    edx
.text:004013F0                 call    sub_401210                       //rsa
.text:004013F5                 mov     al, [esp+98h+var_60]             //第1个字节==0
.text:004013F9                 add     esp, 24h
.text:004013FC                 test    al, al
.text:004013FE                 jnz     short loc_401449
.text:00401400                 cmp     [esp+74h+var_5F], 2              //第2个字节==2
.text:00401405                 jnz     short loc_401449
.text:00401407                 mov     al, [esp+74h+var_51]             //第16个字节==0
.text:0040140B                 test    al, al
.text:0040140D                 jnz     short loc_401449
.text:0040140F                 mov     ecx, [esp+74h+arg_0]
.text:00401413                 lea     eax, [esp+74h+var_70]
.text:00401417                 push    edi
.text:00401418                 push    eax
.text:00401419                 push    esi
.text:0040141A                 push    ecx
.text:0040141B                 call    sub_401190                       //用户名hash
.text:00401420                 add     esp, 0Ch
.text:00401423                 mov     ecx, 4
.text:00401428                 lea     edi, [esp+78h+var_50]
.text:0040142C                 lea     esi, [esp+78h+var_70]
.text:00401430                 xor     edx, edx
.text:00401432                 repe cmpsd                               //用户名hash与解密key的后面16字节比较
.text:00401434                 pop     edi
.text:00401435                 jnz     short loc_401456
.text:00401437                 push    offset aCongratulation ; "Congratulations! You did it!\n"
.text:0040143C                 call    sub_411A90
.text:00401441                 add     esp, 4
.text:00401444                 pop     esi
.text:00401445                 add     esp, 70h
.text:00401448                 retn

n = 69823028577465AB3991DF045146F91D556DEE8870845D8EE1CD3CF77E4A0C39
e = 10001
yafu分解得到:
p = 979BE0C9EECE7426C9FD28C2D6E7772B
q = B22831D15714EB91CD83340B4837182B
d = 390A684CB713378FFD5CCE8C4000B5D6A2BB9F29B63D395E6BE6E9DD941527BD

m = 0002000000000000000000000000000014AF58AD4D76D59D8D2171FFB4CA2231 (第3~15字节可任意,所以会多解)
c = m ^ d % n = 46FD7E72B31A3CB32B2DB098B3597825056A8AC4CF13CD127B95D2B22D9F2E45
key = sub_4010F0_decode(c) = EF589F333382266883B13D8DF4C6C4C2A786C2E7D9538E4A3D98E7B6CFCDDCE1


[CTF入门培训]顶尖高校博士及硕士团队亲授《30小时教你玩转CTF》,视频+靶场+题目!助力进入CTF世界

最后于 2020-4-16 13:40 被ccfer编辑 ,原因:
收藏
点赞0
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回