[原创]签到-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创]签到

发表于: 2021-11-15 18:27 2243

[原创]签到

M2727527

2021-11-15 18:27

2243

xor eax,ebx ebx为0x5EE54F4C, 可得异或前的eax为0xc44a216

加密部分代码

00052E79  |> /8D4B D0       /lea ecx,dword ptr ds:[ebx-0x30]
00052E7C  |. |80F9 09       |cmp cl,0x9
00052E7F  |. |77 08         |ja short kctf2021.00052E89
00052E81  |. |0FBECB        |movsx ecx,bl
00052E84  |. |83C1 D0       |add ecx,-0x30
00052E87  |. |EB 23         |jmp short kctf2021.00052EAC
00052E89  |> |8AC3          |mov al,bl
00052E8B  |. |2C 61         |sub al,0x61                             ;  Switch (cases 61..BB)
00052E8D  |. |3C 19         |cmp al,0x19
00052E8F  |. |77 08         |ja short kctf2021.00052E99
00052E91  |. |0FBECB        |movsx ecx,bl                            ;  Cases 61,62,63,64,65,66,67,68,69,6A,6B,6C,6D,6E,6F,70,71,72,73,74,75,76,77,78,79,7A of switch 00052E8B
00052E94  |. |83C1 A9       |add ecx,-0x57
00052E97  |. |EB 13         |jmp short kctf2021.00052EAC
00052E99  |> |8AC3          |mov al,bl
00052E9B  |. |2C 41         |sub al,0x41
00052E9D  |. |3C 19         |cmp al,0x19
00052E9F  |. |77 08         |ja short kctf2021.00052EA9
00052EA1  |. |0FBECB        |movsx ecx,bl                            ;  Cases A2,A3,A4,A5,A6,A7,A8,A9,AA,AB,AC,AD,AE,AF,B0,B1,B2,B3,B4,B5,B6,B7,B8,B9,BA,BB of switch 00052E8B
00052EA4  |. |83C1 C9       |add ecx,-0x37
00052EA7  |. |EB 03         |jmp short kctf2021.00052EAC
00052EA9  |> |83C9 FF       |or ecx,-0x1                             ;  Default case of switch 00052E8B
00052EAC  |> |83F9 FF       |cmp ecx,-0x1
00052EAF  |. |74 30         |je short kctf2021.00052EE1
00052EB1  |. |3BCF          |cmp ecx,edi
00052EB3  |. |73 2C         |jnb short kctf2021.00052EE1
00052EB5  |. |8B45 F4       |mov eax,[local.3]
00052EB8  |. |83CA 08       |or edx,0x8
00052EBB  |. |8B5D F0       |mov ebx,[local.4]
00052EBE  |. |3BC3          |cmp eax,ebx
00052EC0  |. |72 0C         |jb short kctf2021.00052ECE
00052EC2  |. |75 05         |jnz short kctf2021.00052EC9
00052EC4  |. |3B4D EC       |cmp ecx,[local.5]
00052EC7  |. |76 05         |jbe short kctf2021.00052ECE
00052EC9  |> |83CA 04       |or edx,0x4
00052ECC  |. |EB 08         |jmp short kctf2021.00052ED6
00052ECE  |> |0FAFC7        |imul eax,edi
00052ED1  |. |03C1          |add eax,ecx
00052ED3  |. |8945 F4       |mov [local.3],eax
00052ED6  |> |8A1E          |mov bl,byte ptr ds:[esi]
00052ED8  |. |46            |inc esi
00052ED9  |. |885D FC       |mov byte ptr ss:[ebp-0x4],bl
00052EDC  |. |8975 0C       |mov [arg.2],esi
00052EDF  |.^\EB 98         \jmp short kctf2021.00052E79

手动爆破
手动爆破
EAX值密码
0CB91795 213456789
0C452015 205856789
0C45200C 205856780

0C44A216 205824534
0C4435AC 205796780
0C440E9C 205786780
0C43996C 205756780
0C4268BC 205678780
0C4212D5 205656789
0C38EB15 205056789
0C376475 204956789
0C269B95 203856789
0C208115 203456789
0C1A6695 203056789
0DFB38D2 234567890
最后密码是205824534