-
-
KCTF 迷失丛林
-
发表于: 2021-11-19 12:57
-
flag长度为32且必须为0-9A-F,调用sub_401580进行校验
第一重校验,不知道啥算法。需要对统计数据0x00 0x0e 0x28 0x4f偏移处进行统计。猜测256的矩阵的前8字节为缺少的0x1e 0x28 0x4b 0x6d 0x8c 0xa3 0xd2 0xfb。可以对这8个字节进行排列组合大概4w种可能性。
爆破得到前16个4B 6D 28 8C FB D2 1E A3
矩阵交换,提取运行后的矩阵用于最后计算。
按字节进行加密,所以只需要按位爆破得到"GoodJob~"即可
得到最后的验证:B4D682C8BF2DE13AD9B6AEF24A80CB22
还原代码来分析太累了,也许用unicorn运行提取的字节码可能会更方便
#include<stdio.h>#define NUM 8unsigned char matrix[256]={
0x8C,0xFB,0x4B,0x1E,0x28,0xA3,0xD2,0x6D,0xA2,0x9B,0xF4,0xDF,0xAC,0x7C,0xA1,0xC6,
0x16,0xD0,0x0F,0xDD,0xDC,0x73,0xC5,0x6B,0xD1,0x96,0x47,0xC2,0x26,0x67,0x4E,0x41,
0x82,0x20,0x56,0x9A,0x6E,0x33,0x92,0x88,0x29,0xB5,0xB4,0x71,0xA9,0xCE,0xC3,0x34,
0x50,0x59,0xBF,0x2D,0x57,0x22,0xA6,0x30,0x04,0xB2,0xCD,0x36,0xD5,0x68,0x4D,0x5B,
0x45,0x9E,0x85,0xCF,0x9D,0xCC,0x61,0x78,0x32,0x76,0x31,0xE3,0x80,0xAD,0x39,0x4F,
0xFA,0x72,0x83,0x4C,0x86,0x60,0xB7,0xD7,0x63,0x0C,0x44,0x35,0xB3,0x7B,0x19,0xD4,
0x69,0x08,0x0B,0x1F,0x3D,0x11,0x79,0xD3,0xEE,0x93,0x42,0xDE,0x23,0x3B,0x5D,0x8D,
0xA5,0x77,0x5F,0x58,0xDB,0x97,0xF6,0x7A,0x18,0x52,0x15,0x74,0x25,0x62,0x2C,0x05,
0xE8,0x0D,0x98,0x2A,0x43,0xE2,0xEF,0x48,0x87,0x49,0x1C,0xCA,0x2B,0xA7,0x8A,0x09,
0x81,0xE7,0x53,0xAA,0xFF,0x6F,0x8E,0x91,0xF1,0xF0,0xA4,0x46,0x3A,0x7D,0x54,0xEB,
0x2F,0xC1,0xC0,0x0E,0xBD,0xE1,0x6C,0x64,0xBE,0xE4,0x02,0x3C,0x5A,0xA8,0x9F,0x37,
0xAF,0xA0,0x13,0xED,0x1B,0xEC,0x8B,0x3E,0x7E,0x27,0x99,0x75,0xAB,0xFE,0xD9,0x3F,
0xF3,0xEA,0x70,0xF7,0x95,0xBA,0x1D,0x40,0xB0,0xF9,0xE5,0xF8,0x06,0xBC,0xB6,0x03,
0xC9,0x10,0x9C,0x2E,0x89,0x5C,0x7F,0xB1,0x1A,0xD6,0x90,0xAE,0xDA,0xE6,0x5E,0xB9,
0x84,0xE9,0x55,0xBB,0xC7,0x0A,0xE0,0x66,0xF2,0xD8,0xCB,0x00,0x12,0xB8,0x17,0x94,
0x6A,0x4A,0x01,0x24,0x14,0x51,0x07,0x65,0x21,0xC8,0x38,0xFD,0x8F,0xC4,0xF5,0xFC
};unsigned char key[8] = {0x1E,0x28,0x4B,0x6D,0x8C,0xA3,0xD2,0xFB};
void check(){ int c1=0,c2=0,c3=0,c4=0;
for(int i=0;i<8;i++)
{
matrix[i]=key[i];
}
for(int i=0;i<256;i++)
{
unsigned char table[512]={0};
int count[256]={0};
table[0]=matrix[i];
table[1]=(unsigned char)i+1;
for(int j=0;j<0xfe;j++)
{
table[j*2+2]=matrix[table[j]];
table[j*2+3]=table[j]+1;
}
for(int j=0;j<256;j++)
{
count[table[j+0xfe]] += 1;
}
if(count[0]!=0)
c1++;
if(count[0x0e]!=0)
c2++;
if(count[0x28]!=0)
c3++;
if(count[0x4f]!=0)
c4++;
}
if(c1==0xA9&&c2==0xAC&&c3==0xA7&&c4>0xc8)
{
for(int i=0;i<8;i++)
{
printf("%.2X ",key[i]);
}
printf("\n");
}
}void do_range(int low, int high)
{ if(low == high)
{
check();
}
else
{
do_range(low+1, high);
for(int i=low+1; i<=high; i++)
{
//递归前交换
int t = key[low]; key[low] = key[i]; key[i] = t;
do_range(low+1, high);
//递归后复位
t = key[low]; key[low] = key[i]; key[i] = t;
}
}
}int main()
{ do_range(0, NUM-1);
}#include<stdio.h>#define NUM 8unsigned char matrix[256]={
0x8C,0xFB,0x4B,0x1E,0x28,0xA3,0xD2,0x6D,0xA2,0x9B,0xF4,0xDF,0xAC,0x7C,0xA1,0xC6,
0x16,0xD0,0x0F,0xDD,0xDC,0x73,0xC5,0x6B,0xD1,0x96,0x47,0xC2,0x26,0x67,0x4E,0x41,
0x82,0x20,0x56,0x9A,0x6E,0x33,0x92,0x88,0x29,0xB5,0xB4,0x71,0xA9,0xCE,0xC3,0x34,
0x50,0x59,0xBF,0x2D,0x57,0x22,0xA6,0x30,0x04,0xB2,0xCD,0x36,0xD5,0x68,0x4D,0x5B,
0x45,0x9E,0x85,0xCF,0x9D,0xCC,0x61,0x78,0x32,0x76,0x31,0xE3,0x80,0xAD,0x39,0x4F,
0xFA,0x72,0x83,0x4C,0x86,0x60,0xB7,0xD7,0x63,0x0C,0x44,0x35,0xB3,0x7B,0x19,0xD4,
0x69,0x08,0x0B,0x1F,0x3D,0x11,0x79,0xD3,0xEE,0x93,0x42,0xDE,0x23,0x3B,0x5D,0x8D,
0xA5,0x77,0x5F,0x58,0xDB,0x97,0xF6,0x7A,0x18,0x52,0x15,0x74,0x25,0x62,0x2C,0x05,
0xE8,0x0D,0x98,0x2A,0x43,0xE2,0xEF,0x48,0x87,0x49,0x1C,0xCA,0x2B,0xA7,0x8A,0x09,
0x81,0xE7,0x53,0xAA,0xFF,0x6F,0x8E,0x91,0xF1,0xF0,0xA4,0x46,0x3A,0x7D,0x54,0xEB,
0x2F,0xC1,0xC0,0x0E,0xBD,0xE1,0x6C,0x64,0xBE,0xE4,0x02,0x3C,0x5A,0xA8,0x9F,0x37,
0xAF,0xA0,0x13,0xED,0x1B,0xEC,0x8B,0x3E,0x7E,0x27,0x99,0x75,0xAB,0xFE,0xD9,0x3F,
0xF3,0xEA,0x70,0xF7,0x95,0xBA,0x1D,0x40,0xB0,0xF9,0xE5,0xF8,0x06,0xBC,0xB6,0x03,
0xC9,0x10,0x9C,0x2E,0x89,0x5C,0x7F,0xB1,0x1A,0xD6,0x90,0xAE,0xDA,0xE6,0x5E,0xB9,
0x84,0xE9,0x55,0xBB,0xC7,0x0A,0xE0,0x66,0xF2,0xD8,0xCB,0x00,0x12,0xB8,0x17,0x94,
0x6A,0x4A,0x01,0x24,0x14,0x51,0x07,0x65,0x21,0xC8,0x38,0xFD,0x8F,0xC4,0xF5,0xFC
};unsigned char key[8] = {0x1E,0x28,0x4B,0x6D,0x8C,0xA3,0xD2,0xFB};
void check(){ int c1=0,c2=0,c3=0,c4=0;
for(int i=0;i<8;i++)
{
matrix[i]=key[i];
}
for(int i=0;i<256;i++)
{
unsigned char table[512]={0};
int count[256]={0};
table[0]=matrix[i];
table[1]=(unsigned char)i+1;
for(int j=0;j<0xfe;j++)
{
table[j*2+2]=matrix[table[j]];
table[j*2+3]=table[j]+1;
}
for(int j=0;j<256;j++)
{
count[table[j+0xfe]] += 1;
}
if(count[0]!=0)
c1++;
if(count[0x0e]!=0)
c2++;
if(count[0x28]!=0)
c3++;
if(count[0x4f]!=0)
c4++;
}
if(c1==0xA9&&c2==0xAC&&c3==0xA7&&c4>0xc8)
{
for(int i=0;i<8;i++)
{
printf("%.2X ",key[i]);
}
printf("\n");
}
}void do_range(int low, int high)
{ if(low == high)
{
check();
}
else
{
do_range(low+1, high);
for(int i=low+1; i<=high; i++)
{
//递归前交换
int t = key[low]; key[low] = key[i]; key[i] = t;
do_range(low+1, high);
[培训]传播安全知识、拓宽行业人脉——看雪讲师团队等你加入!
|
|
|---|---|
