-
-
[原创]2021KCTF秋季赛 迷失丛林
-
2021-11-30 14:04 13971
-
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 | do { byte_404220[ 0 ] = * ((_BYTE * )&dword_404000 + v2 - 1 ); / / 取第一个 hex byte_404221 = v2; v3 = byte_404220; v4 = &dword_404100; v5 = &byte_404220[dword_404100]; do { v6 = * v4; if ( * v4 > 0 ) { do { v7 = v5 + 1 ; * (v7 - 1 ) = * ((_BYTE * )&dword_404000 + (unsigned __int8) * v3); * v7 = * v3 + 1 ; v5 = v7 + 1 ; + + v3; - - v6; } while ( v6 ); } + + v4; } while ( ( int )v4 < ( int )&unk_40411C ); v8 = 256 ; do { + + v25[(unsigned __int8) * v3 + + ]; - - v8; } while ( v8 ); + + v2; v25 + = 256 ; } while ( v2 - 1 < 256 ); v9 = &unk_404448; v10 = 256 ; do { if ( * (v9 - 40 ) ) + + v21; if ( * (v9 - 26 ) ) + + v22; if ( * v9 ) + + v23; if ( v9[ 39 ] ) + + v24; v9 + = 256 ; - - v10; } while ( v10 ); if ( v21 = = (char) 0xA9 && v22 = = (char) 0xAC && v23 = = (char) 0xA7 && v24 > 0xC8u ) |
这里是验证第一段序列号的逻辑
可以发现其实前8个字节被放进了dword_404000里,而且还测试了这个其实是个s盒,没有重复的数字。
所以可以确定前个8个字节是什么,但是并不知道它们之间的顺序是什么。
0x1e,0x28,0x4b,0x6d,0x8c,0xa3,0xd2,0xfb
确定顺序之后其实就可以爆破了,大概10分钟可以爆出来。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 | import sys a = [ 0xA2 , 0x9B , 0xF4 , 0xDF , 0xAC , 0x7C , 0xA1 , 0xC6 , 0x16 , 0xD0 , 0x0F , 0xDD , 0xDC , 0x73 , 0xC5 , 0x6B , 0xD1 , 0x96 , 0x47 , 0xC2 , 0x26 , 0x67 , 0x4E , 0x41 , 0x82 , 0x20 , 0x56 , 0x9A , 0x6E , 0x33 , 0x92 , 0x88 , 0x29 , 0xB5 , 0xB4 , 0x71 , 0xA9 , 0xCE , 0xC3 , 0x34 , 0x50 , 0x59 , 0xBF , 0x2D , 0x57 , 0x22 , 0xA6 , 0x30 , 0x04 , 0xB2 , 0xCD , 0x36 , 0xD5 , 0x68 , 0x4D , 0x5B , 0x45 , 0x9E , 0x85 , 0xCF , 0x9D , 0xCC , 0x61 , 0x78 , 0x32 , 0x76 , 0x31 , 0xE3 , 0x80 , 0xAD , 0x39 , 0x4F , 0xFA , 0x72 , 0x83 , 0x4C , 0x86 , 0x60 , 0xB7 , 0xD7 , 0x63 , 0x0C , 0x44 , 0x35 , 0xB3 , 0x7B , 0x19 , 0xD4 , 0x69 , 0x08 , 0x0B , 0x1F , 0x3D , 0x11 , 0x79 , 0xD3 , 0xEE , 0x93 , 0x42 , 0xDE , 0x23 , 0x3B , 0x5D , 0x8D , 0xA5 , 0x77 , 0x5F , 0x58 , 0xDB , 0x97 , 0xF6 , 0x7A , 0x18 , 0x52 , 0x15 , 0x74 , 0x25 , 0x62 , 0x2C , 0x05 , 0xE8 , 0x0D , 0x98 , 0x2A , 0x43 , 0xE2 , 0xEF , 0x48 , 0x87 , 0x49 , 0x1C , 0xCA , 0x2B , 0xA7 , 0x8A , 0x09 , 0x81 , 0xE7 , 0x53 , 0xAA , 0xFF , 0x6F , 0x8E , 0x91 , 0xF1 , 0xF0 , 0xA4 , 0x46 , 0x3A , 0x7D , 0x54 , 0xEB , 0x2F , 0xC1 , 0xC0 , 0x0E , 0xBD , 0xE1 , 0x6C , 0x64 , 0xBE , 0xE4 , 0x02 , 0x3C , 0x5A , 0xA8 , 0x9F , 0x37 , 0xAF , 0xA0 , 0x13 , 0xED , 0x1B , 0xEC , 0x8B , 0x3E , 0x7E , 0x27 , 0x99 , 0x75 , 0xAB , 0xFE , 0xD9 , 0x3F , 0xF3 , 0xEA , 0x70 , 0xF7 , 0x95 , 0xBA , 0x1D , 0x40 , 0xB0 , 0xF9 , 0xE5 , 0xF8 , 0x06 , 0xBC , 0xB6 , 0x03 , 0xC9 , 0x10 , 0x9C , 0x2E , 0x89 , 0x5C , 0x7F , 0xB1 , 0x1A , 0xD6 , 0x90 , 0xAE , 0xDA , 0xE6 , 0x5E , 0xB9 , 0x84 , 0xE9 , 0x55 , 0xBB , 0xC7 , 0x0A , 0xE0 , 0x66 , 0xF2 , 0xD8 , 0xCB , 0x00 , 0x12 , 0xB8 , 0x17 , 0x94 , 0x6A , 0x4A , 0x01 , 0x24 , 0x14 , 0x51 , 0x07 , 0x65 , 0x21 , 0xC8 , 0x38 , 0xFD , 0x8F , 0xC4 , 0xF5 , 0xFC ] def check(d): for i in d: if d.count(i)> 1 : return 1 return 0 burst_num = [ 0x1e , 0x28 , 0x4b , 0x6d , 0x8c , 0xa3 , 0xd2 , 0xfb ] def enc_fun(d): # print(hex(d[0]),hex(d[1])) e = [ 0 for i in range ( 256 * 256 )] f = [ 0 for i in range ( 512 )] v2 = 1 m = 0 for i in range ( 256 ): f[ 0 ] = d[v2 - 1 ] f[ 1 ] = v2& 0xff l = 0 for k in range ( 254 ): f[ 2 + k * 2 ] = d[f[l]] f[ 2 + k * 2 + 1 ] = (f[l] + 1 )& 0xff l + = 1 for j in range ( 256 ): e[m + f[l]] + = 1 l + = 1 v2 + = 1 m + = 256 # print(e) n = 0 v21 = 0 v22 = 0 v23 = 0 v24 = 0 for i in range ( 256 ): if e[n]: v21 + = 1 if e[n + 14 ]: v22 + = 1 if e[n + 40 ]: v23 + = 1 if e[n + 79 ]: v24 + = 1 n + = 256 if v24> 0xc8 : print ( hex (v21), hex (v22), hex (v23), hex (v24)) if v21 = = 0xA9 and v22 = = 0xAC and v23 = = 0xA7 and v24 > 0xc8 : return 1 return 0 def brust(): flag = 0 for i1 in burst_num: for i2 in burst_num: for i3 in burst_num: for i4 in burst_num: for i5 in burst_num: for i6 in burst_num: for i7 in burst_num: for i8 in burst_num: d = [i1,i2,i3,i4,i5,i6,i7,i8] if check(d): continue d + = a if enc_fun(d): print (i1,i2,i3,i4,i5,i6,i7,i8) sys.exit() if __name__ = = '__main__' : brust() #0x4b,0x6d,0x28,0x8c,0xfb,0xd2,0x1e,0xa3 |
B4D682C8BF2DE13A 前16个序列号
后8个字节序列号的逻辑代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 | if ( v21 = = (char) 0xA9 && v22 = = (char) 0xAC && v23 = = (char) 0xA7 && v24 > 0xC8u ) { v11 = 0 ; while ( 2 ) { v12 = 0 ; while ( * ((unsigned __int8 * )&dword_404000 + v12) ! = v11 ) { if ( + + v12 > = 256 ) goto LABEL_32; } v13 = * ((_BYTE * )&dword_404000 + v11); v14 = 0 ; v15 = v11; if ( v11 ! = v13 ) { do { + + v14; v16 = * ((unsigned __int8 * )&dword_404000 + v15); * ((_BYTE * )&dword_404000 + v15) = * ((_BYTE * )&dword_404000 + v16); v15 = v16; if ( v14 > = 256 ) return 0 ; } while ( v11 ! = * ((unsigned __int8 * )&dword_404000 + v16) ); } * ((_BYTE * )&dword_404000 + v15) = v13; LABEL_32: if ( + + v11 < 256 ) continue ; break ; } v17 = 0 ; Str1 = dword_404000; dword_414424 = dword_404004; do { for ( i = 0 ; i < 8 ; + + i ) { if ( v17 > = 8 ) { if ( !i || i = = 7 ) - - * ((_BYTE * )&Str1 + i); } else { if ( ( * (_BYTE * )(a2 + i) & 1 ) ! = 0 ) v19 = * ((_BYTE * )&Str1 + i) + 1 ; else v19 = * ((_BYTE * )&dword_404000 + * ((unsigned __int8 * )&Str1 + i)); * ((_BYTE * )&Str1 + i) = v19; * (_BYTE * )(a2 + i) >> = 1 ; } } + + v17; } while ( v17 < 9 ); if ( !strncmp(&Str1, Str2, 8 ) ) { MessageBoxA(this[ 1 ], Str2, Caption, 0x40u ); / / 输出正确 return 1 ; } } |
最后要等于“GoodJob~”
得到前8个序列号后我们就可以进入这里面了,然后可以dump出dword_40400的数据,这里是对后8个字节进行加密。
这里也是采用爆破,这里可以单字节爆破,我是一个个字节来爆破的。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 | data = [ 0xC1 , 0x9B , 0x7F , 0x58 , 0x64 , 0xD5 , 0x77 , 0x21 , 0x74 , 0xEB , 0x14 , 0xBF , 0xDF , 0x25 , 0x5A , 0x37 , 0x85 , 0x2C , 0xAF , 0x8C , 0xDA , 0x26 , 0xE2 , 0x7A , 0x87 , 0x4C , 0x60 , 0x99 , 0x54 , 0x3C , 0x95 , 0xC0 , 0xB9 , 0x0C , 0xBC , 0x0E , 0xE7 , 0x2D , 0x86 , 0xBE , 0x67 , 0xD3 , 0xD8 , 0xFC , 0x30 , 0xB6 , 0xC8 , 0x57 , 0x1E , 0x62 , 0x3E , 0xCE , 0xA0 , 0xCD , 0xF5 , 0xEE , 0xA7 , 0xCF , 0x45 , 0xFE , 0xD0 , 0x80 , 0x05 , 0xAD , 0x13 , 0xF3 , 0xB7 , 0x6B , 0x22 , 0x2B , 0xBD , 0x69 , 0x42 , 0x4B , 0xA5 , 0xEA , 0xA6 , 0xD2 , 0x6F , 0x4F , 0x4E , 0x07 , 0xE1 , 0x36 , 0x01 , 0xB5 , 0xAA , 0xB1 , 0x94 , 0x0B , 0x35 , 0x3A , 0xC7 , 0x49 , 0x53 , 0x82 , 0xC3 , 0x7B , 0x32 , 0xFF , 0x19 , 0xC4 , 0xF1 , 0xC9 , 0xE8 , 0xF7 , 0x56 , 0x15 , 0xA3 , 0x46 , 0x89 , 0x43 , 0x9D , 0x8F , 0x20 , 0xEF , 0xBB , 0x2A , 0xCB , 0x09 , 0x93 , 0x4A , 0x1C , 0xE3 , 0x33 , 0xD1 , 0xE0 , 0x1D , 0x72 , 0x7C , 0x27 , 0xE9 , 0x17 , 0x28 , 0x6D , 0x6A , 0xD9 , 0x00 , 0x9A , 0xE5 , 0x63 , 0xDE , 0x23 , 0x9F , 0x0D , 0x47 , 0x3B , 0x65 , 0x08 , 0x84 , 0x6C , 0x1A , 0x88 , 0x12 , 0xA1 , 0xA4 , 0xB3 , 0x18 , 0x24 , 0x1B , 0xD7 , 0x44 , 0xDB , 0xAC , 0x6E , 0x7D , 0x51 , 0x5E , 0xED , 0x50 , 0xD6 , 0x11 , 0x5B , 0x9C , 0xB4 , 0x68 , 0x3D , 0x2F , 0x03 , 0x40 , 0xBA , 0x2E , 0xCA , 0x02 , 0xE6 , 0xA8 , 0xEC , 0x83 , 0x06 , 0x5D , 0xB8 , 0x4D , 0x97 , 0x66 , 0xF0 , 0xFB , 0x8A , 0x55 , 0xAB , 0xB2 , 0x04 , 0xFA , 0x0A , 0x31 , 0x71 , 0xCC , 0x8B , 0x73 , 0xA9 , 0x48 , 0x5C , 0xF9 , 0x98 , 0xE4 , 0xC6 , 0x34 , 0xC5 , 0x7E , 0x81 , 0x75 , 0x90 , 0x1F , 0x92 , 0x3F , 0x9E , 0x10 , 0x29 , 0x52 , 0x39 , 0xF4 , 0x41 , 0x78 , 0x5F , 0x16 , 0x79 , 0xC2 , 0xB0 , 0xDD , 0xF2 , 0x61 , 0x0F , 0x70 , 0xD4 , 0x91 , 0xDC , 0xF6 , 0xF8 , 0xFD , 0x59 , 0x38 , 0x8D , 0x96 , 0xAE , 0x8E , 0x76 , 0xA2 ] # print(chr(0x58)) print ( "start:" ) for i in range ( 0xff ): c = [ 0xc1 , 0x9b , 0x7f , 0x58 , 0x64 , 0xd5 , 0x77 , 0x21 ] tmp = i for j in range ( 9 ): if j> = 8 : c[ 0 ] - = 1 c[ 7 ] - = 1 if j< 8 : if tmp& 1 ! = 0 : v19 = c[ 7 ] + 1 else : v19 = data[c[ 7 ]] c[ 7 ] = v19& 0xff tmp>> = 1 if c[ 7 ] = = ord ( '~' ): print ( hex (i)) #0x9D 0x6b 0xea 0x2f 0xa4 0x8 0xbc 0x22 |
得到序列号:B4D682C8BF2DE13AD9B6AEF24A80CB22
最后于 2021-11-30 16:47
被n3ko编辑
,原因:
赞赏
他的文章
看原图