-
-
[原创]网刃杯逆向wp
-
发表于: 2021-9-14 15:51 21199
-
根据常数搜索到Sm3,然后爆破就行。
本来用unicorn可以秒这道题,但是不知道我多蠢,模拟了一个自己patch过的文件,导致没跑出来,解出这个题之后才发觉,所以写两种方法。
两个地方反调试:
这里也需要过跳转:
关键地方就是check分数,得到正确的分数进行简单计算即可:
要得到score,patch反调试,然后程序内改汇编进行爆破。
.text:00992388 90 nop
.text:00992389
.text:00992389 loc_992389: ; CODE XREF: sub_992290+12C↓j
.text:00992389 8B 8D 68 FF FF FF mov ecx, [ebp+var_98]
.text:0099238F 8B 01 mov eax, [ecx+0]
.text:00992391 83 C0 01 add eax, 1
.text:00992394 89 01 mov [ecx], eax
.text:00992396 89 41 4C mov [ecx+4Ch], eax
.text:00992399 90 nop
.text:0099239A 90 nop
.text:0099239B 90 nop
.text:0099239C 90 nop
拿到分数。
unicorn模拟程序爆破解法:
ss
=
[
'6b8575c6092240cde08414dafd535bee'
,
'f0f659f2951290ad5e076b3fe5e70425'
,
'c1d6c663570de9fad13ddef955d8a02b'
,
'14c4e442fba6d820ea90ae73ed90ad83'
,
'25d997669868d0cf89782349256efb33'
,
'78b1ea6bb1ac10287864c8f52d2758b6'
,
'67d1259c26765356ddb58c6faf28080c'
,
'c1e14e0c86f55ba1d74b35b66f96ad36'
,
'3e4f3ee942d1a57182e24df201b7022b'
,
'c35557f7e5c389061fb2e2ffa1a644ad'
,
'15593844fae18fe1a25f3a9017c73810'
,
'c6c21ca591a63755fd77bf5c55a0238a'
,
'f90cb529875e83cc191c0e10ead6f73e'
,
'3ddbe25f9b183c3e2c33c3b1e501fcd8'
,
'30fdf04c347f1d4e335bda670d54eaaf'
,
'33feb100c8c7c3769af6e9d26486c646'
]
m
=
'77'
IV
=
'7380166f4914b2b9172442d7da8a0600a96f30bc163138aae38dee4db0fb0e4e'
#填充函数
def
filling(m):
#消息m是一个16进制字符串
#直接加16进制比较好
#61626364616263646162636461626364616263646162636461626364616263646162636461626364616263646162636461626364616263646162636461626364
#a = int(m,16)
#b = bin(a)[2:]#消息转换为二进制
length_b
=
len
(m)
*
4
#记录消息的长度
#s1='{:04b}'.format(s1)
b
=
m
b
=
b
+
'8'
#补 1
c
=
len
(b)
%
128
c
=
112
-
c
#补 0 的个数
d
=
'0'
*
c
b
=
b
+
d
#补 0
length_m
=
'{:016x}'
.
format
(length_b)
#也是16进制
b
=
b
+
length_m
#填充完毕
#b = int(b)
#b = hex(b)[2:]
return
b
#分组函数
def
fenzu(m):
m
=
filling(m)
len_m
=
len
(m)
/
128
m_list
=
[]
for
i
in
range
(
int
(len_m)):
a
=
m[
0
+
128
*
i:
+
128
*
(i
+
1
)]
m_list.append(a)
return
m_list
#扩展函数
def
expand(m,n):
#n代表是第几组消息,消息之间没有关系,不用迭代
B
=
fenzu(m)
#列表
W
=
[
'0'
for
i
in
range
(
68
)]
W_0
=
[
'0'
for
i
in
range
(
64
)]
for
i
in
range
(
int
(
len
(B[n])
/
8
)):
#128/8=16个字
w
=
B[n][i
*
8
:(i
+
1
)
*
8
]
W[i]
=
w
for
j
in
range
(
16
,
68
):
a
=
or_16(W[j
-
16
],W[j
-
9
])
W_j_3
=
Cyc_shift(W[j
-
3
],
15
)
#print(W_j_3)
a
=
or_16(a,W_j_3)
a
=
Replace_P1(a)
#print(a)
W_j_13
=
Cyc_shift(W[j
-
13
],
7
)
a
=
or_16(a,W_j_13)
a
=
or_16(a,W[j
-
6
])
W[j]
=
a
#return W
for
j
in
range
(
64
):
W_0[j]
=
or_16(W[j],W[j
+
4
])
return
W,W_0
#置换函数
def
Replace_P1(X):
#X为32位字
X_15
=
Cyc_shift(X,
15
)
#循环移位
X_23
=
Cyc_shift(X,
23
)
a
=
or_16(X,X_15)
a
=
or_16(a,X_23)
return
a
#置换函数
def
Replace_P0(X):
#X为32位字
X_9
=
Cyc_shift(X,
9
)
X_17
=
Cyc_shift(X,
17
)
a
=
or_16(X,X_9)
a
=
or_16(a,X_17)
return
a
#异或函数
def
or_16(A,B):
A
=
int
(A,
16
)
B
=
int
(B,
16
)
C
=
A ^ B
C
=
'{:08x}'
.
format
(C)
return
C
#循环移位函数
def
Cyc_shift(W,n):
a
=
int
(W,
16
)
a
=
'{:032b}'
.
format
(a)
while
n>
=
32
:
n
=
n
-
32
a
=
a[n:]
+
a[:n]
a
=
int
(a,
2
)
a
=
'{:08x}'
.
format
(a)
return
a
#常量Tj
def
T_j(j):
if
j<
=
15
:
T_j
=
'79cc4519'
else
:
T_j
=
'7a879d8a'
return
T_j
#mod 2^32 算术加运算
def
add(x,y):
x
=
int
(x,
16
)
x
=
'{:032b}'
.
format
(x)
x
=
list
(x)
y
=
int
(y,
16
)
y
=
'{:032b}'
.
format
(y)
y
=
list
(y)
#print(x)
#print(y)
a
=
[
0
for
_
in
range
(
32
)]
carry
=
0
for
i
in
range
(
32
):
m
=
int
(x[
31
-
i])
+
int
(y[
31
-
i])
+
carry
if
m>
=
2
:
d
=
m
-
2
a[
31
-
i]
=
str
(d)
carry
=
1
else
:
carry
=
0
d
=
m
a[
31
-
i]
=
str
(d)
#print(a)
b
=
''.join(a)
b
=
int
(b,
2
)
b
=
'{:08x}'
.
format
(b)
return
b
#布尔函数
def
FF_j(X,Y,Z,j):
if
j<
=
15
:
a
=
or_16(X,Y)
a
=
or_16(a,Z)
else
:
a
=
and_Cal(X,Y)
b
=
and_Cal(X,Z)
c
=
and_Cal(Y,Z)
a
=
or_Cal(a,b)
a
=
or_Cal(a,c)
return
a
#布尔函数
def
GG_j(X, Y, Z, j):
if
j <
=
15
:
a
=
or_16(X, Y)
a
=
or_16(a, Z)
else
:
a
=
and_Cal(X,Y)
b
=
qufan(X)
b
=
and_Cal(b,Z)
a
=
or_Cal(a,b)
return
a
#与运算函数
def
and_Cal(a,b):
a
=
int
(a,
16
)
b
=
int
(b,
16
)
a_b
=
a & b
a_b
=
'{:08x}'
.
format
(a_b)
return
a_b
#或运算函数
def
or_Cal(a,b):
a
=
int
(a,
16
)
b
=
int
(b,
16
)
a_b
=
a | b
a_b
=
'{:08x}'
.
format
(a_b)
return
a_b
#按位取反函数
def
qufan(A):
A
=
int
(A,
16
)
A
=
'{:032b}'
.
format
(A)
A
=
list
(A)
for
i
in
range
(
32
):
if
A[i]
=
=
'0'
:
A[i]
=
'1'
else
:
A[i]
=
'0'
A
=
''.join(A)
A
=
int
(A,
2
)
A
=
'{:08x}'
.
format
(A)
return
A
#压缩函数
m_list
=
fenzu(m)
m_len
=
len
(m_list)
V
=
[
'0'
for
i
in
range
(m_len
+
1
)]
V[
0
]
=
IV
#压缩函数
def
CF(m,n,k):
w
=
expand(m, n)
W
=
w[
0
]
W_0
=
w[
1
]
A
=
V[k][
0
:
8
]
B
=
V[k][
8
:
16
]
C
=
V[k][
16
:
24
]
D
=
V[k][
24
:
32
]
E
=
V[k][
32
:
40
]
F
=
V[k][
40
:
48
]
G
=
V[k][
48
:
56
]
H
=
V[k][
56
:
64
]
#print(W_0)
all
=
''
for
j
in
range
(
64
):
#print(E)
b
=
a
=
Cyc_shift(A,
12
)
#t = b
T
=
T_j(j)
#
T
=
Cyc_shift(T,j)
#忘记移位了,移位问题
a
=
add(a,E)
a
=
add(a,T)
SS1
=
Cyc_shift(a,
7
)
SS2
=
or_16(SS1,b)
b
=
FF_j(A,B,C,j)
b
=
add(b,D)
b
=
add(b,SS2)
TT1
=
add(b,W_0[j])
#
b
=
GG_j(E,F,G,j)
b
=
add(b, H)
b
=
add(b, SS1)
TT2
=
add(b, W[j])
#
D
=
C
C
=
Cyc_shift(B,
9
)
B
=
A
A
=
TT1
#
H
=
G
G
=
Cyc_shift(F,
19
)
F
=
E
E
=
Replace_P0(TT2)
#
all
=
A
+
B
+
C
+
D
+
E
+
F
+
G
+
H
#print(all)
#V[k+1]=or_16(all,V[k])
#return V[k+1]
#print(t)
#return all
V[k
+
1
]
=
or_16(V[k],
all
)
#print(CF(m,0,0))
#print(V)
def
hash
(m
=
m):
for
i
in
range
(m_len):
v_n
=
CF(m,i,i)
#print(V[-1])
return
V[
-
1
]
#b=''
#b=a[0:8]+'\0'+a[8:16]+'\0'+a[16:24]+'\0'+a[24:32]+'\0'+a[32:40]+'\0'+a[40:48]+'\0'+a[48:56]+'\0'+a[56:64]
#print(b)
flag
=
""
ttt
=
""
for
j
in
range
(
len
(ss)):
for
i
in
range
(
0xff
):
arg
=
ttt
+
hex
(i)[
2
:].rjust(
2
,
"0"
)
res
=
hash
(m
=
arg)[:
32
]
#print(res, i)
if
res
=
=
ss[j]:
flag
+
=
chr
(i)
ttt
+
=
hex
(i)[
2
:].rjust(
2
,
"0"
)
print
(flag)
break
#print('输入的消息m是:\n',m)
#print('消息m的hash值为:\n',b)
ss
=
[
'6b8575c6092240cde08414dafd535bee'
,
'f0f659f2951290ad5e076b3fe5e70425'
,
'c1d6c663570de9fad13ddef955d8a02b'
,
'14c4e442fba6d820ea90ae73ed90ad83'
,
'25d997669868d0cf89782349256efb33'
,
'78b1ea6bb1ac10287864c8f52d2758b6'
,
'67d1259c26765356ddb58c6faf28080c'
,
'c1e14e0c86f55ba1d74b35b66f96ad36'
,
'3e4f3ee942d1a57182e24df201b7022b'
,
'c35557f7e5c389061fb2e2ffa1a644ad'
,
'15593844fae18fe1a25f3a9017c73810'
,
'c6c21ca591a63755fd77bf5c55a0238a'
,
'f90cb529875e83cc191c0e10ead6f73e'
,
'3ddbe25f9b183c3e2c33c3b1e501fcd8'
,
'30fdf04c347f1d4e335bda670d54eaaf'
,
'33feb100c8c7c3769af6e9d26486c646'
]
m
=
'77'
IV
=
'7380166f4914b2b9172442d7da8a0600a96f30bc163138aae38dee4db0fb0e4e'
#填充函数
def
filling(m):
#消息m是一个16进制字符串
#直接加16进制比较好
#61626364616263646162636461626364616263646162636461626364616263646162636461626364616263646162636461626364616263646162636461626364
#a = int(m,16)
#b = bin(a)[2:]#消息转换为二进制
length_b
=
len
(m)
*
4
#记录消息的长度
#s1='{:04b}'.format(s1)
b
=
m
b
=
b
+
'8'
#补 1
c
=
len
(b)
%
128
c
=
112
-
c
#补 0 的个数
d
=
'0'
*
c
b
=
b
+
d
#补 0
length_m
=
'{:016x}'
.
format
(length_b)
#也是16进制
b
=
b
+
length_m
#填充完毕
#b = int(b)
#b = hex(b)[2:]
return
b
#分组函数
def
fenzu(m):
m
=
filling(m)
len_m
=
len
(m)
/
128
m_list
=
[]
for
i
in
range
(
int
(len_m)):
a
=
m[
0
+
128
*
i:
+
128
*
(i
+
1
)]
m_list.append(a)
return
m_list
#扩展函数
def
expand(m,n):
#n代表是第几组消息,消息之间没有关系,不用迭代
B
=
fenzu(m)
#列表
W
=
[
'0'
for
i
in
range
(
68
)]
W_0
=
[
'0'
for
i
in
range
(
64
)]
for
i
in
range
(
int
(
len
(B[n])
/
8
)):
#128/8=16个字
w
=
B[n][i
*
8
:(i
+
1
)
*
8
]
W[i]
=
w
for
j
in
range
(
16
,
68
):
a
=
or_16(W[j
-
16
],W[j
-
9
])
W_j_3
=
Cyc_shift(W[j
-
3
],
15
)
#print(W_j_3)
a
=
or_16(a,W_j_3)
a
=
Replace_P1(a)
#print(a)
W_j_13
=
Cyc_shift(W[j
-
13
],
7
)
a
=
or_16(a,W_j_13)
a
=
or_16(a,W[j
-
6
])
W[j]
=
a
#return W
for
j
in
range
(
64
):
W_0[j]
=
or_16(W[j],W[j
+
4
])
return
W,W_0
#置换函数
def
Replace_P1(X):
#X为32位字
X_15
=
Cyc_shift(X,
15
)
#循环移位
X_23
=
Cyc_shift(X,
23
)
a
=
or_16(X,X_15)
a
=
or_16(a,X_23)
return
a
#置换函数
def
Replace_P0(X):
#X为32位字
X_9
=
Cyc_shift(X,
9
)
X_17
=
Cyc_shift(X,
17
)
a
=
or_16(X,X_9)
a
=
or_16(a,X_17)
return
a
#异或函数
def
or_16(A,B):
A
=
int
(A,
16
)
B
=
int
(B,
16
)
C
=
A ^ B
C
=
'{:08x}'
.
format
(C)
return
C
#循环移位函数
def
Cyc_shift(W,n):
a
=
int
(W,
16
)
a
=
'{:032b}'
.
format
(a)
while
n>
=
32
:
n
=
n
-
32
a
=
a[n:]
+
a[:n]
a
=
int
(a,
2
)
a
=
'{:08x}'
.
format
(a)
return
a
#常量Tj
def
T_j(j):
if
j<
=
15
:
T_j
=
'79cc4519'
else
:
T_j
=
'7a879d8a'
return
T_j
#mod 2^32 算术加运算
def
add(x,y):
x
=
int
(x,
16
)
x
=
'{:032b}'
.
format
(x)
x
=
list
(x)
y
=
int
(y,
16
)
y
=
'{:032b}'
.
format
(y)
y
=
list
(y)
#print(x)
#print(y)
a
=
[
0
for
_
in
range
(
32
)]
carry
=
0
for
i
in
range
(
32
):
m
=
int
(x[
31
-
i])
+
int
(y[
31
-
i])
+
carry
if
m>
=
2
:
d
=
m
-
2
a[
31
-
i]
=
str
(d)
carry
=
1
else
:
carry
=
0
d
=
m
a[
31
-
i]
=
str
(d)
#print(a)
b
=
''.join(a)
b
=
int
(b,
2
)
b
=
'{:08x}'
.
format
(b)
return
b
#布尔函数
def
FF_j(X,Y,Z,j):
if
j<
=
15
:
a
=
or_16(X,Y)
a
=
or_16(a,Z)
else
:
a
=
and_Cal(X,Y)
b
=
and_Cal(X,Z)
c
=
and_Cal(Y,Z)
a
=
or_Cal(a,b)
a
=
or_Cal(a,c)
return
a
#布尔函数
def
GG_j(X, Y, Z, j):
if
j <
=
15
:
a
=
or_16(X, Y)
a
=
or_16(a, Z)
else
:
a
=
and_Cal(X,Y)
b
=
qufan(X)
b
=
and_Cal(b,Z)
a
=
or_Cal(a,b)
return
a
#与运算函数
def
and_Cal(a,b):
a
=
int
(a,
16
)
b
=
int
(b,
16
)
a_b
=
a & b
a_b
=
'{:08x}'
.
format
(a_b)
return
a_b
#或运算函数
def
or_Cal(a,b):
a
=
int
(a,
16
)
b
=
int
(b,
16
)
赞赏
- [原创]网刃杯逆向wp 21200
- [原创]羊城杯部分逆向wp 16228
- [求助]现在还适合去进行app应用安全漏洞挖掘吗 4333