-
-
[原创]KCTF2021秋季赛 迷失丛林
-
发表于: 2021-11-18 17:48 16339
-
输入为32位,每两位转换为16进制数,校验分为两部分
这里的算法是生成一个八层的二叉树,然后判断第八层节点中值为0,14,40,79的个数
二叉树生成逻辑如下
这里我推了一段时间发现是不可逆的(可能我太菜,欢迎大佬指正),只能爆破,因为在生成二叉树时可以索引到tmp表的所有成员,所以猜测只要爆破tmp表的前8个数即可,共8的阶乘种可能性,规模不大
简单的换表加密,直接爆破
tmp
=
[...]
#程序内存的一个表,表的前八位是输入的前16位转换成的16进制数
父节点(parent)
左儿子(tmp[parent]) 右儿子(parent
+
1
)
根节点的值为
1
~
256
,共
256
个二叉树
tmp
=
[...]
#程序内存的一个表,表的前八位是输入的前16位转换成的16进制数
父节点(parent)
左儿子(tmp[parent]) 右儿子(parent
+
1
)
根节点的值为
1
~
256
,共
256
个二叉树
off
=
[
0x00000002
,
0x00000004
,
0x00000008
,
0x00000010
,
0x00000020
,
0x00000040
,
0x80
]
table
=
[
0x12
,
0x43
,
0x65
,
0x87
,
0x19
,
0x32
,
0x54
,
0x67
,
0xA2
,
0x9B
,
0xF4
,
0xDF
,
0xAC
,
0x7C
,
0xA1
,
0xC6
,
0x16
,
0xD0
,
0x0F
,
0xDD
,
0xDC
,
0x73
,
0xC5
,
0x6B
,
0xD1
,
0x96
,
0x47
,
0xC2
,
0x26
,
0x67
,
0x4E
,
0x41
,
0x82
,
0x20
,
0x56
,
0x9A
,
0x6E
,
0x33
,
0x92
,
0x88
,
0x29
,
0xB5
,
0xB4
,
0x71
,
0xA9
,
0xCE
,
0xC3
,
0x34
,
0x50
,
0x59
,
0xBF
,
0x2D
,
0x57
,
0x22
,
0xA6
,
0x30
,
0x04
,
0xB2
,
0xCD
,
0x36
,
0xD5
,
0x68
,
0x4D
,
0x5B
,
0x45
,
0x9E
,
0x85
,
0xCF
,
0x9D
,
0xCC
,
0x61
,
0x78
,
0x32
,
0x76
,
0x31
,
0xE3
,
0x80
,
0xAD
,
0x39
,
0x4F
,
0xFA
,
0x72
,
0x83
,
0x4C
,
0x86
,
0x60
,
0xB7
,
0xD7
,
0x63
,
0x0C
,
0x44
,
0x35
,
0xB3
,
0x7B
,
0x19
,
0xD4
,
0x69
,
0x08
,
0x0B
,
0x1F
,
0x3D
,
0x11
,
0x79
,
0xD3
,
0xEE
,
0x93
,
0x42
,
0xDE
,
0x23
,
0x3B
,
0x5D
,
0x8D
,
0xA5
,
0x77
,
0x5F
,
0x58
,
0xDB
,
0x97
,
0xF6
,
0x7A
,
0x18
,
0x52
,
0x15
,
0x74
,
0x25
,
0x62
,
0x2C
,
0x05
,
0xE8
,
0x0D
,
0x98
,
0x2A
,
0x43
,
0xE2
,
0xEF
,
0x48
,
0x87
,
0x49
,
0x1C
,
0xCA
,
0x2B
,
0xA7
,
0x8A
,
0x09
,
0x81
,
0xE7
,
0x53
,
0xAA
,
0xFF
,
0x6F
,
0x8E
,
0x91
,
0xF1
,
0xF0
,
0xA4
,
0x46
,
0x3A
,
0x7D
,
0x54
,
0xEB
,
0x2F
,
0xC1
,
0xC0
,
0x0E
,
0xBD
,
0xE1
,
0x6C
,
0x64
,
0xBE
,
0xE4
,
0x02
,
0x3C
,
0x5A
,
0xA8
,
0x9F
,
0x37
,
0xAF
,
0xA0
,
0x13
,
0xED
,
0x1B
,
0xEC
,
0x8B
,
0x3E
,
0x7E
,
0x27
,
0x99
,
0x75
,
0xAB
,
0xFE
,
0xD9
,
0x3F
,
0xF3
,
0xEA
,
0x70
,
0xF7
,
0x95
,
0xBA
,
0x1D
,
0x40
,
0xB0
,
0xF9
,
0xE5
,
0xF8
,
0x06
,
0xBC
,
0xB6
,
0x03
,
0xC9
,
0x10
,
0x9C
,
0x2E
,
0x89
,
0x5C
,
0x7F
,
0xB1
,
0x1A
,
0xD6
,
0x90
,
0xAE
,
0xDA
,
0xE6
,
0x5E
,
0xB9
,
0x84
,
0xE9
,
0x55
,
0xBB
,
0xC7
,
0x0A
,
0xE0
,
0x66
,
0xF2
,
0xD8
,
0xCB
,
0x00
,
0x12
,
0xB8
,
0x17
,
0x94
,
0x6A
,
0x4A
,
0x01
,
0x24
,
0x14
,
0x51
,
0x07
,
0x65
,
0x21
,
0xC8
,
0x38
,
0xFD
,
0x8F
,
0xC4
,
0xF5
,
0xFC
]
def
check(flag):
global
off
byte_404220
=
[
0
]
*
512
v25
=
[[
0
for
i
in
range
(
256
)]
for
i
in
range
(
256
)]
v
=
0
index
=
1
while
1
:
byte_404220[
0
]
=
flag[index
-
1
]
byte_404220[
1
]
=
index
%
256
tmp
=
2
count
=
0
for
i
in
range
(
len
(off)):
for
k
in
range
(off[i]):
byte_404220[tmp]
=
flag[(byte_404220[count])&
0xff
]
byte_404220[tmp
+
1
]
=
(byte_404220[count]
+
1
)
%
256
count
+
=
1
tmp
+
=
2
for
i
in
range
(
256
):
v25[v][byte_404220[count]]
+
=
1
count
+
=
1
v
+
=
1
index
+
=
1
if
index>
256
:
break
v21
=
0
v22
=
0
v23
=
0
v24
=
0
for
i
in
range
(
256
):
if
v25[i][
0
]:
v21
+
=
1
if
v25[i][
40
-
26
]:
v22
+
=
1
if
v25[i][
40
]:
v23
+
=
1
if
v25[i][
40
+
39
]:
v24
+
=
1
if
v21
=
=
169
and
v22
=
=
172
and
v23
=
=
167
and
v24>
200
:
return
1
return
0
def
equal(a,b,c,d,e,f,g,h):
if
a
=
=
b
or
a
=
=
c
or
a
=
=
d
or
a
=
=
e
or
a
=
=
f
or
a
=
=
g
or
a
=
=
h:
return
1
if
b
=
=
c
or
b
=
=
d
or
b
=
=
e
or
b
=
=
f
or
b
=
=
g
or
b
=
=
h:
return
1
if
c
=
=
d
or
c
=
=
e
or
c
=
=
f
or
c
=
=
g
or
c
=
=
h:
return
1
if
d
=
=
e
or
d
=
=
f
or
d
=
=
g
or
d
=
=
h:
return
1
if
e
=
=
f
or
e
=
=
g
or
e
=
=
h:
return
1
if
f
=
=
g
or
f
=
=
h:
return
1
if
g
=
=
h:
return
1
return
0
s
=
[
0x1e
,
0x28
,
0x4b
,
0x6d
,
0x8c
,
0xa3
,
0xd2
,
0xfb
]
for
i
in
s:
for
j
in
s:
for
k
in
s:
for
l
in
s:
for
m
in
s:
for
n
in
s:
for
x
in
s:
for
y
in
s:
if
equal(i,j,k,l,m,n,x,y):
continue
table[
0
]
=
i
table[
1
]
=
j
table[
2
]
=
k
table[
3
]
=
l
table[
4
]
=
m
table[
5
]
=
n
table[
6
]
=
x
table[
7
]
=
y
if
check(table):
print
(
hex
(i),
hex
(j),
hex
(k),
hex
(l),
hex
(m),
hex
(n),
hex
(x),
hex
(y))
# b4d682c8bf2de13a
off
=
[
0x00000002
,
0x00000004
,
0x00000008
,
0x00000010
,
0x00000020
,
0x00000040
,
0x80
]
table
=
[
0x12
,
0x43
,
0x65
,
0x87
,
0x19
,
0x32
,
0x54
,
0x67
,
0xA2
,
0x9B
,
0xF4
,
0xDF
,
0xAC
,
0x7C
,
0xA1
,
0xC6
,
0x16
,
0xD0
,
0x0F
,
0xDD
,
0xDC
,
0x73
,
0xC5
,
0x6B
,
0xD1
,
0x96
,
0x47
,
0xC2
,
0x26
,
0x67
,
0x4E
,
0x41
,
0x82
,
0x20
,
0x56
,
0x9A
,
0x6E
,
0x33
,
0x92
,
0x88
,
0x29
,
0xB5
,
0xB4
,
0x71
,
0xA9
,
0xCE
,
0xC3
,
0x34
,
0x50
,
0x59
,
0xBF
,
0x2D
,
0x57
,
0x22
,
0xA6
,
0x30
,
0x04
,
0xB2
,
0xCD
,
0x36
,
0xD5
,
0x68
,
0x4D
,
0x5B
,
0x45
,
0x9E
,
0x85
,
0xCF
,
0x9D
,
0xCC
,
0x61
,
0x78
,
0x32
,
0x76
,
0x31
,
0xE3
,
0x80
,
0xAD
,
0x39
,
0x4F
,
0xFA
,
0x72
,
0x83
,
0x4C
,
0x86
,
0x60
,
0xB7
,
0xD7
,
0x63
,
0x0C
,
0x44
,
0x35
,
0xB3
,
0x7B
,
0x19
,
0xD4
,
0x69
,
0x08
,
0x0B
,
0x1F
,
0x3D
,
0x11
,
0x79
,
0xD3
,
0xEE
,
0x93
,
0x42
,
0xDE
,
0x23
,
0x3B
,
0x5D
,
0x8D
,
0xA5
,
0x77
,
0x5F
,
0x58
,
0xDB
,
0x97
,
0xF6
,
0x7A
,
0x18
,
0x52
,
0x15
,
0x74
,
0x25
,
0x62
,
0x2C
,
0x05
,
0xE8
,
0x0D
,
0x98
,
0x2A
,
0x43
,
0xE2
,
0xEF
,
0x48
,
0x87
,
0x49
,
0x1C
,
0xCA
,
0x2B
,
0xA7
,
0x8A
,
0x09
,
0x81
,
0xE7
,
0x53
,
0xAA
,
0xFF
,
0x6F
,
0x8E
,
0x91
,
0xF1
,
0xF0
,
0xA4
,
0x46
,
0x3A
,
0x7D
,
0x54
,
0xEB
,
0x2F
,
0xC1
,
0xC0
,
0x0E
,
0xBD
,
0xE1
,
0x6C
,
0x64
,
0xBE
,
0xE4
,
0x02
,
0x3C
,
0x5A
,
0xA8
,
0x9F
,
0x37
,
0xAF
,
0xA0
,
0x13
,
0xED
,
0x1B
,
0xEC
,
0x8B
,
0x3E
,
0x7E
,
0x27
,
0x99
,
0x75
,
0xAB
,
0xFE
,
0xD9
,
0x3F
,
0xF3
,
0xEA
,
0x70
,
0xF7
,
0x95
,
0xBA
,
0x1D
,
0x40
,
0xB0
,
0xF9
,
0xE5
,
0xF8
,
0x06
,
0xBC
,
0xB6
,
0x03
,
0xC9
,
0x10
,
0x9C
,
0x2E
,
0x89
,
0x5C
,
0x7F
,
0xB1
,
0x1A
,
0xD6
,
0x90
,
0xAE
,
0xDA
,
0xE6
,
0x5E
,
0xB9
,
0x84
,
0xE9
,
0x55
,
0xBB
,
0xC7
,
0x0A
,
0xE0
,
0x66
,
0xF2
,
0xD8
,
0xCB
,
0x00
,
0x12
,
0xB8
,
0x17
,
0x94
,
0x6A
,
0x4A
,
0x01
,
0x24
,
0x14
,
0x51
,
0x07
,
0x65
,
0x21
,
0xC8
,
0x38
,
0xFD
,
0x8F
,
0xC4
,
0xF5
,
0xFC
]
def
check(flag):
global
off
byte_404220
=
[
0
]
*
512
v25
=
[[
0
for
i
in
range
(
256
)]
for
i
in
range
(
256
)]
v
=
0
index
=
1
while
1
:
byte_404220[
0
]
=
flag[index
-
1
]
byte_404220[
1
]
=
index
%
256
tmp
=
2
count
=
0
for
i
in
range
(
len
(off)):
for
k
in
range
(off[i]):
byte_404220[tmp]
=
flag[(byte_404220[count])&
0xff
]
byte_404220[tmp
+
1
]
=
(byte_404220[count]
+
1
)
%
256
count
+
=
1
tmp
+
=
2
for
i
in
range
(
256
):
v25[v][byte_404220[count]]
+
=
1
count
+
=
1
v
+
=
1
index
+
=
1
if
index>
256
:
break
v21
=
0
v22
=
0
v23
=
0
v24
=
0
for
i
in
range
(
256
):
if
v25[i][
0
]:
v21
+
=
1
if
v25[i][
40
-
26
]:
v22
+
=
1
if
v25[i][
40
]:
v23
+
=
1
if
v25[i][
40
+
39
]:
v24
+
=
1
if
v21
=
=
169
and
v22
=
=
172
and
v23
=
=
167
and
v24>
200
:
return
1
return
0
def
equal(a,b,c,d,e,f,g,h):
if
a
=
=
b
or
a
=
=
c
or
a
=
=
d
or
a
=
=
e
or
a
=
=
f
or
a
=
=
g
or
a
=
=
h:
return
1
if
b
=
=
c
or
b
=
=
d
or
b
=
=
e
or
b
=
=
f
or
b
=
=
g
or
b
=
=
h:
return
1
if
c
=
=
d
or
c
=
=
e
or
c
=
=
f
or
c
=
=
g
or
c
=
=
h:
return
1
if
d
=
=
e
or
d
=
=
f
or
d
=
=
g
or
d
=
=
h:
return
1
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
他的文章
看原图
赞赏
雪币:
留言: