首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 峰会 看雪商城 证书查询
  1. 社区
  2. CTF对抗
    3. 发新帖
KCTF 迷失丛林
发表于: 2021-11-19 12:57 18306

KCTF 迷失丛林

tobeabel 活跃值
1
2021-11-19 12:57
18306

flag长度为32且必须为0-9A-F,调用sub_401580进行校验
图片描述

第一重校验,不知道啥算法。需要对统计数据0x00 0x0e 0x28 0x4f偏移处进行统计。猜测256的矩阵的前8字节为缺少的0x1e 0x28 0x4b 0x6d 0x8c 0xa3 0xd2 0xfb。可以对这8个字节进行排列组合大概4w种可能性。
爆破得到前16个4B 6D 28 8C FB D2 1E A3
图片描述

矩阵交换,提取运行后的矩阵用于最后计算。
图片描述
按字节进行加密,所以只需要按位爆破得到"GoodJob~"即可
图片描述

得到最后的验证:B4D682C8BF2DE13AD9B6AEF24A80CB22

还原代码来分析太累了,也许用unicorn运行提取的字节码可能会更方便

#include<stdio.h>
#define NUM 8
unsigned char matrix[256]={
0x8C,0xFB,0x4B,0x1E,0x28,0xA3,0xD2,0x6D,0xA2,0x9B,0xF4,0xDF,0xAC,0x7C,0xA1,0xC6,
0x16,0xD0,0x0F,0xDD,0xDC,0x73,0xC5,0x6B,0xD1,0x96,0x47,0xC2,0x26,0x67,0x4E,0x41,
0x82,0x20,0x56,0x9A,0x6E,0x33,0x92,0x88,0x29,0xB5,0xB4,0x71,0xA9,0xCE,0xC3,0x34,
0x50,0x59,0xBF,0x2D,0x57,0x22,0xA6,0x30,0x04,0xB2,0xCD,0x36,0xD5,0x68,0x4D,0x5B,
0x45,0x9E,0x85,0xCF,0x9D,0xCC,0x61,0x78,0x32,0x76,0x31,0xE3,0x80,0xAD,0x39,0x4F,
0xFA,0x72,0x83,0x4C,0x86,0x60,0xB7,0xD7,0x63,0x0C,0x44,0x35,0xB3,0x7B,0x19,0xD4,
0x69,0x08,0x0B,0x1F,0x3D,0x11,0x79,0xD3,0xEE,0x93,0x42,0xDE,0x23,0x3B,0x5D,0x8D,
0xA5,0x77,0x5F,0x58,0xDB,0x97,0xF6,0x7A,0x18,0x52,0x15,0x74,0x25,0x62,0x2C,0x05,
0xE8,0x0D,0x98,0x2A,0x43,0xE2,0xEF,0x48,0x87,0x49,0x1C,0xCA,0x2B,0xA7,0x8A,0x09,
0x81,0xE7,0x53,0xAA,0xFF,0x6F,0x8E,0x91,0xF1,0xF0,0xA4,0x46,0x3A,0x7D,0x54,0xEB,
0x2F,0xC1,0xC0,0x0E,0xBD,0xE1,0x6C,0x64,0xBE,0xE4,0x02,0x3C,0x5A,0xA8,0x9F,0x37,
0xAF,0xA0,0x13,0xED,0x1B,0xEC,0x8B,0x3E,0x7E,0x27,0x99,0x75,0xAB,0xFE,0xD9,0x3F,
0xF3,0xEA,0x70,0xF7,0x95,0xBA,0x1D,0x40,0xB0,0xF9,0xE5,0xF8,0x06,0xBC,0xB6,0x03,
0xC9,0x10,0x9C,0x2E,0x89,0x5C,0x7F,0xB1,0x1A,0xD6,0x90,0xAE,0xDA,0xE6,0x5E,0xB9,
0x84,0xE9,0x55,0xBB,0xC7,0x0A,0xE0,0x66,0xF2,0xD8,0xCB,0x00,0x12,0xB8,0x17,0x94,
0x6A,0x4A,0x01,0x24,0x14,0x51,0x07,0x65,0x21,0xC8,0x38,0xFD,0x8F,0xC4,0xF5,0xFC
};
unsigned char key[8] = {0x1E,0x28,0x4B,0x6D,0x8C,0xA3,0xD2,0xFB};
 
void check()
{
    int c1=0,c2=0,c3=0,c4=0;
    for(int i=0;i<8;i++)
    {
        matrix[i]=key[i];
    }
    for(int i=0;i<256;i++)
    {
        unsigned char table[512]={0};
        int count[256]={0};
        table[0]=matrix[i];
        table[1]=(unsigned char)i+1;
        for(int j=0;j<0xfe;j++)
        {
            table[j*2+2]=matrix[table[j]];
            table[j*2+3]=table[j]+1;
        }
 
        for(int j=0;j<256;j++)
        {
            count[table[j+0xfe]] += 1;
        }
        if(count[0]!=0)
            c1++;
        if(count[0x0e]!=0)
            c2++;
        if(count[0x28]!=0)
            c3++;
        if(count[0x4f]!=0)
            c4++;
    }
    if(c1==0xA9&&c2==0xAC&&c3==0xA7&&c4>0xc8)
    {
        for(int i=0;i<8;i++)
        {
            printf("%.2X ",key[i]);
        }
        printf("\n");
    }
}
void do_range(int low, int high)
{
    if(low == high)
    {
        check();
    }
    else
    {
        do_range(low+1, high);
 
        for(int i=low+1; i<=high; i++)
        {
            //递归前交换
            int t = key[low]; key[low] = key[i]; key[i] = t;
            do_range(low+1, high);
            //递归后复位
            t = key[low]; key[low] = key[i]; key[i] = t;
        }
    }
}
 
 
int main()
{  
    do_range(0, NUM-1);
}
#include<stdio.h>
#define NUM 8
unsigned char matrix[256]={
0x8C,0xFB,0x4B,0x1E,0x28,0xA3,0xD2,0x6D,0xA2,0x9B,0xF4,0xDF,0xAC,0x7C,0xA1,0xC6,
0x16,0xD0,0x0F,0xDD,0xDC,0x73,0xC5,0x6B,0xD1,0x96,0x47,0xC2,0x26,0x67,0x4E,0x41,
0x82,0x20,0x56,0x9A,0x6E,0x33,0x92,0x88,0x29,0xB5,0xB4,0x71,0xA9,0xCE,0xC3,0x34,
0x50,0x59,0xBF,0x2D,0x57,0x22,0xA6,0x30,0x04,0xB2,0xCD,0x36,0xD5,0x68,0x4D,0x5B,
0x45,0x9E,0x85,0xCF,0x9D,0xCC,0x61,0x78,0x32,0x76,0x31,0xE3,0x80,0xAD,0x39,0x4F,
0xFA,0x72,0x83,0x4C,0x86,0x60,0xB7,0xD7,0x63,0x0C,0x44,0x35,0xB3,0x7B,0x19,0xD4,
0x69,0x08,0x0B,0x1F,0x3D,0x11,0x79,0xD3,0xEE,0x93,0x42,0xDE,0x23,0x3B,0x5D,0x8D,
0xA5,0x77,0x5F,0x58,0xDB,0x97,0xF6,0x7A,0x18,0x52,0x15,0x74,0x25,0x62,0x2C,0x05,
0xE8,0x0D,0x98,0x2A,0x43,0xE2,0xEF,0x48,0x87,0x49,0x1C,0xCA,0x2B,0xA7,0x8A,0x09,
0x81,0xE7,0x53,0xAA,0xFF,0x6F,0x8E,0x91,0xF1,0xF0,0xA4,0x46,0x3A,0x7D,0x54,0xEB,
0x2F,0xC1,0xC0,0x0E,0xBD,0xE1,0x6C,0x64,0xBE,0xE4,0x02,0x3C,0x5A,0xA8,0x9F,0x37,
0xAF,0xA0,0x13,0xED,0x1B,0xEC,0x8B,0x3E,0x7E,0x27,0x99,0x75,0xAB,0xFE,0xD9,0x3F,
0xF3,0xEA,0x70,0xF7,0x95,0xBA,0x1D,0x40,0xB0,0xF9,0xE5,0xF8,0x06,0xBC,0xB6,0x03,
0xC9,0x10,0x9C,0x2E,0x89,0x5C,0x7F,0xB1,0x1A,0xD6,0x90,0xAE,0xDA,0xE6,0x5E,0xB9,
0x84,0xE9,0x55,0xBB,0xC7,0x0A,0xE0,0x66,0xF2,0xD8,0xCB,0x00,0x12,0xB8,0x17,0x94,
0x6A,0x4A,0x01,0x24,0x14,0x51,0x07,0x65,0x21,0xC8,0x38,0xFD,0x8F,0xC4,0xF5,0xFC
};
unsigned char key[8] = {0x1E,0x28,0x4B,0x6D,0x8C,0xA3,0xD2,0xFB};
 
void check()
{
    int c1=0,c2=0,c3=0,c4=0;
    for(int i=0;i<8;i++)
    {
        matrix[i]=key[i];
    }
    for(int i=0;i<256;i++)
    {
        unsigned char table[512]={0};
        int count[256]={0};
        table[0]=matrix[i];
        table[1]=(unsigned char)i+1;
        for(int j=0;j<0xfe;j++)
        {
            table[j*2+2]=matrix[table[j]];
            table[j*2+3]=table[j]+1;
        }
 
        for(int j=0;j<256;j++)
        {
            count[table[j+0xfe]] += 1;
        }
        if(count[0]!=0)
            c1++;
        if(count[0x0e]!=0)
            c2++;
        if(count[0x28]!=0)
            c3++;
        if(count[0x4f]!=0)
            c4++;
    }
    if(c1==0xA9&&c2==0xAC&&c3==0xA7&&c4>0xc8)
    {
        for(int i=0;i<8;i++)
        {
            printf("%.2X ",key[i]);
        }
        printf("\n");
    }
}
void do_range(int low, int high)
{
    if(low == high)
    {
        check();
    }
    else
    {
        do_range(low+1, high);
 
        for(int i=low+1; i<=high; i++)
        {
            //递归前交换
            int t = key[low]; key[low] = key[i]; key[i] = t;
            do_range(low+1, high);

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

收藏
免费 2
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//