首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. CTF对抗
    3. 发新帖
3
[原创][第九题] 歧路亡羊 wp
发表于: 2020-5-6 14:40 6305

[原创][第九题] 歧路亡羊 wp

全盲法师 活跃值
3
2020-5-6 14:40
6305

歧路亡羊 98k战队wp

物华天宝,龙光射荆州之地。人杰地灵,洞庭下道人之榻。偶有闻道,半盲善防御之术。吾闻道甚浅,望能访半盲而得神术。奈何吾无名无术,不止如何面见。闻看雪竞软件攻防之道,高朋满座,喜迎士子,又闻半盲道人携多年心血,潜心练术,可使众士无可攻破防御之术公之于众。吾甚喜,奈何手无屠龙之剑,无精晓之术。不知何以面见诸位道友。吾甚是沮丧,广罗在野英雄,手握名册,寻志同道合之友。呕心搜寻获得神器pizza一。欲善其事必先利器,吾得pizza之助,必可在半盲道人府大显身手。吾甚喜,吾之所历,此册详录。

测半盲道人仙术之志

pizza甚善攻破之术,余侍立左右,看pizza用x64dbg记录其函数所算,先使数据尽为0x00后使数据尽为0xff,pizza尽得半盲运算,后pizza查半盲术之型,半盲术虽困人心智,其中却仍有特征,pizza将其详录其侧,在其断后仔细观察,观察log后晓术中真假类别。而后pizza追溯栈区,寻求马迹。一全局变量现于其中,而后尽得半盲小术。pizza其一人即可攻破,吾未尝助之,吾甚愧。pizza得一奇特之术,问余,此术可解?吾反复查之,见pizza录之如此。

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
zero = [
0x4D09AF3ABCA28A8D,
0x9FE10506A2C9A9A,
0xD2CAE855C068E1E1,
0x8E86479F6E6A694,
0x6A4BD5F20EFD8499,
0xA0449A4DF2C0F524,
0x61B1EE4C89A1C74A,
0x3E2A0CF5AFC54669,
0xBCC700EAD1995E75,
0x281876D27FDD03C6,
0x601A1255813ADF30,
0xF507E8AC585A4E42,
0xF81BB1D3980A2FA4,
0x18E55A56CA0AD2C7,
0xAAD9CFC2182BEBA0,
0xEEE198AABDBE8A18,
0x63FF598FDA7E7D6F,
0xE15CE23DF925822A,
0xBC36E215B5689224,
0xB7800C9EBAE07702,
0x80931FC6D227F8DC,
0x3F8DF570B658B85D,
0x7BA207CB52F24E88,
0x6A633F82966E82AB,
0x75E0B5660623690F,
0xCC9148B45107B5C9,
0x586B216EF43AD48E,
0xA96B5A8AFF1878F3,
0x87762DB8DCE9B73C,
0x6FA7015E6BB367B6,
0xBFD039B8B4F29C94,
0x7EE7E8FD8040BD86,
0x5A0CE9D5D3AF4435,
0xBB3113E0107ADEDC,
0x3E7FFB6F3748AE83,
0xA1F7BF0929977159,
0xC269314AC1FEA8E7,
0x5C064C38F21BC241,
0x120D6129A85D8E4B,
0xFCA8B3EE674F2565,
0x97C2F6A547610C57,
0x1619A76F4EBE3D6,
0x508180C897BA2FC6,
0x9E6749482573B96D,
0x3FF6CC85C6A56601,
0x7F9A7AE568EBFFB8,
0xBFEFF562CE0D5D58,
0x294B87E2897091D2,
0x1C117BA895F600EE,
0xBFBE146E10193B6E,
0x8AB612550AA8E1AB,
0xDCC914BED9036F0D,
0xBA1343A95D820BA9,
0x2F55690A4CACCA44,
0x5B57CE14DACA37FC,
0x29D2BFF018B00740,
0xA8A8FF75703DD709,
0xF587AAEF1F9516F,
0xF50617B128A0071E,
0xFBD4FD51CEA9D12B,
0x7E1F54E20AFC1CD9,
0x90148276BF1E5D49,
0x527EA699DE716460,
0x34F21BFC6D7943B3,
]
 
one = [
0x3796F61D3F496D9A,
0xFA62CE8FF9D33901,
0xC4F9550241FDFFA3,
0x8ACDD6E445EFBD97,
0x30A83415D047FB98,
0x73957581242C53D,
0xAF82609DE0AEC05C,
0xAD063DBEB266AF43,
0x435068F420FA4FF0,
0xCE6C8C612BD1E439,
0x1D3D3C45D52394CF,
0x1FA5D059C60AA3E3,
0x3C4D092D773B3A2E,
0x97BF010CCFF099F9,
0x5C35272C4834AD4D,
0x8A18F8556F480632,
0x1A9B941774F6CDF4,
0x3C73B45AE0CDBA4,
0xB93D7864763E24E6,
0x6A0ECDEBB77CD18F,
0x69295501BE7EC046,
0x7A530DC89A3FCD12,
0x253E5D6E09849A46,
0xE6DE159244D58711,
0xD1245D0E166D6484,
0x88520272CC6E4A8D,
0x5F78D84D7401F1B9,
0x821447502D8F83A5,
0x5C9D9EE1F131C160,
0xECE764A468850EF,
0xC4769184600CF71,
0xCC566B2C807D1B84,
0x4DC8AFA3B4485576,
0x9D73EA268C866AC8,
0x8133D136D4F81831,
0x1F3C37467929918B,
0x9C2BCA2EA39C691F,
0xD69F4D2FC2D45B9E,
0xD5B60F964288FD32,
0xE9E70AFED5EE6CBF,
0xA45472C49BED802F,
0x4549C58141A7CCC9,
0x4659FD56784637A8,
0xAB69D618D946FFA,
0x49F2759549998302,
0xBFC400DFEF2928C8,
0xFA1507576A21B1AE,
0x381BA1BD97727CDD,
0x2AF20C4B4D98CF16,
0xA5141F6DDE5BE4F0,
0x2BD13515C74A6B36,
0x584603B14F9C07BE,
0x404CEC02BC8B778A,
0xB56620E4E50ED47C,
0x79467C2907B00174,
0xF6BA88D86FE38A7F,
0x7C592711E4673A1E,
0x32252E609065990A,
0xAD8E364386CBA8D4,
0xCE5280D041F19AAA,
0xFB738CEFCB4EBE76,
0xA44396F44F4B69B8,
0x717B237316B0728,
0xA2D352BA607243F5,
]
 
pair = [
(0x4, 0x20),
(0x5, 0x40),
(0x2, 0x1),
(0x5, 0x20),
(0x3, 0x8),
(0x1, 0x4),
(0x4, 0x1),
(0x7, 0x8),
(0x0, 0x20),
(0x0, 0x4),
(0x5, 0x4),
(0x1, 0x80),
(0x1, 0x2),
(0x7, 0x10),
(0x6, 0x1),
(0x0, 0x10),
(0x5, 0x1),
(0x4, 0x8),
(0x7, 0x2),
(0x2, 0x40),
(0x3, 0x10),
(0x3, 0x40),
(0x6, 0x20),
(0x6, 0x4),
(0x6, 0x80),
(0x7, 0x4),
(0x1, 0x1),
(0x7, 0x80),
(0x1, 0x20),
(0x1, 0x10),
(0x0, 0x8),
(0x5, 0x80),
(0x2, 0x2),
(0x1, 0x8),
(0x6, 0x10),
(0x3, 0x80),
(0x1, 0x40),
(0x2, 0x10),
(0x7, 0x20),
(0x3, 0x20),
(0x4, 0x80),
(0x2, 0x8),
(0x3, 0x4),
(0x6, 0x2),
(0x0, 0x1),
(0x0, 0x80),
(0x6, 0x40),
(0x2, 0x4),
(0x0, 0x2),
(0x7, 0x40),
(0x0, 0x40),
(0x4, 0x10),
(0x4, 0x40),
(0x5, 0x10),
(0x2, 0x80),
(0x5, 0x8),
(0x2, 0x20),
(0x3, 0x2),
(0x5, 0x2),
(0x4, 0x2),
(0x3, 0x1),
(0x4, 0x4),
(0x7, 0x1),
(0x6, 0x8),
]
 
out = 0
val = [0xD0, 0x8E, 0x85, 0x01, 0xBF, 0x45, 0x04, 0x6A] # input
val = [0x30 for i in range(8)]
for i in range(64):
    x, y = pair[i]
    x = 7 - x
    if val[x] & y == y:
        out ^= one[i]
    else:
        out ^= zero[i]
 
print(hex(out))
print(len(one))
#zero*(1-x)+one*x

吾观其之术,虽无可穷之,其用术之深,不闻者不知,半盲深晓防御之术,其亦深通数学计数之道。吾使用sage,吾知此为整数环之运算,虽不可明解,却可在整数环2上用矩阵之术,得高斯助之。必可求逆解之。

1
a=(M_zero * one_vector) + ((M_zero + M_one)*x_input)

输入单表换之,可为式之入,而后求解。吾略知数学计数之道,可将其推换至得其输出而至其如。

1
temp_input = (~(M_zero + M_one))*(the_hex - (M_zero * one_vector))

得其逆,pizza则一气呵成,求得其逆,吾与pizza解之已到三天寅时。此吉时助我,寅虎捕亡羊,可为天时地利人和也。

后记

大家看ccfer dalao的wp调试就差多不了,我们战队能做此题,功劳全是pizza的,我是负责递茶的。


[注意]看雪招聘,专注安全领域的专业人才平台!

最后于 2020-5-6 14:42 被全盲法师编辑 ,原因:
收藏
免费 3
支持
分享
赞赏记录
参与人
雪币
留言
时间
juanqinqin
为你点赞~
2020-5-7 15:59
全盲法师
为你点赞~
2020-5-6 18:46
零加一
为你点赞~
2020-5-6 16:00
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回

账号登录
验证码登录

忘记密码?
没有账号?立即免费注册
我已同意 《看雪服务条款》 《看雪课程免责声明》 《看雪隐私政策》