-
-
[原创]2020KCTF春季赛 第三题 寻踪觅源 WP
-
发表于: 2020-4-20 12:04 3378
-
题目自带了符号,用IDA载入,main函数先对输入的sn做了一些简单的校验。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | printf ( "Please input UserName:" ); gets (&v250); v3 = &v250 + strlen (&v250); v4 = v3 - &v250; if ( (unsigned int )(v3 - &v250 - 4) > 0xC ) goto LABEL_78; printf ( "Please input SerialNumber:" ); gets (Src); v5 = strlen (Src) + 1; v6 = v5 - 1; if ( v5 - 5 > 0x1B ) // sn长度小于32 goto LABEL_78; v239 = v5 - 1; if ( v6 % 2 == 1 ) goto LABEL_78; if ( ( signed int )(v5 - 1) <= 0 ) goto LABEL_11; if ( (unsigned __int8 )(Src[0] - 0x3A) <= 0x26u || (unsigned __int8 )(Src[0] - 0x30) > 0x36u ) // 限制字符范围为[a-f] { LABEL_78: puts ( "Input Error!" ); return 0; } v7 = &Src[1]; v8 = &Src[v6]; while ( v8 != v7 ) { v9 = *v7++; if ( (unsigned __int8 )(v9 - 58) <= 0x26u || (unsigned __int8 )(v9 - 48) > 0x36u ) goto LABEL_78; } |
username不够16位的话,则用自身补足,例如"KCTF"会补足为"KCTFKCTFKCTFKCTF"。
核心验证逻辑则是用quickjs封装起来,00458040处为quickjs编译后的bytecode。00401630 是执行这些bytecode的虚拟机。
由于各种因素,这部分我选择直接人肉了bytecode,结果不忍直视,就不放出来了,可以参考其他师傅的wp,编译quickjs反汇编bytecode,读起来会很轻松。
bytecode部分用python表示大致如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | username = 'D9D951D13E6AE085' testsn = '2c0e193a0e0aab59493d2b784d38' .decode( 'hex' ) r1 = 0 for i in range(len(username)): cur = ord(username[i]) r1 += cur if i == len(username) - 1: break r1 *= 0x2b print (r1) xornum = r1 % 0x7f r2 = 0 numc = 0 for i in range(len(testsn)): cur = ord(testsn[i]) ^ (xornum) cur = (cur >> 4) * 0xa + cur % 0x10 r2 += cur if i == len(testsn) - 1: break r2 *= 0x64 print (r2) if r1 == r2: print 'ok' else : print 'no' |
然后写出keygen
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 | username = "KCTFKCTFKCTFKCTF" result = 0 sn = 0 for i in range(len(username)): cur = ord(username[i]) result += cur if i == len(username) - 1: break result *= 43 print (result) xornum = result % 0x7f numc = 0 while result != 0: cur = result % 100 cur = ((cur / 10) << 4) | cur % 10 cur ^= xornum sn |= (cur << numc) numc += 8 result /= 100 print hex(sn)[2:-1] |
运行后得到flag 40017535dad01714402635730122
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2020-4-20 12:41
被梦游枪手编辑
,原因:
赞赏
他的文章
看原图
赞赏
雪币:
留言: