-
-
[原创]KCTF2022春季赛第二题分析(4qwerty7)
-
发表于: 2022-5-12 03:27 10157
-
分析代码可知,首先flag被做了两个hash
首先是在 GF(2^8) 上的类 BKDR hash:
然后是 CRC32:
接下来 flag 的每一位通过下面的方法转为数字
然后根据 xv 通过 3x+1猜想 的过程计算出 v17 的值:
容易验证对于非0 xv 输入的 v17 值均为 7.
然后要求 flag 的前 3 位的异或和为 v17,接下来4位是KCTF。
而长度为 v17+2 的第二部分被要求:
容易发现第二部分的值均为 1~9 的数字。
同时,还要求
由于 987654321 <= 0x4B435445,容易验证此条件无效,即要求数字前 i 位被 i 整除,可搜索出全部满足此要求的数字:
根据前文,这里很可能选取 381654729。
如果第二部分后还有多余内容,则要求经过加密操作后与两段文本的异或结果相等。
可以验证,如果加密,则此处是无解的:
如果不加密,则至多增补两个 0。
综上所述,开头3个字符尚未确定,爆破CRC32即可:
得到结果为 421KCTF381654729。
v5
=
0
for
i
in
flag:
v5 ^
=
i
for
_
in
range
(
8
):
v9
=
2
*
v5
if
v9 >
127
:
v9 ^
=
128
+
7
v5
=
v9
xv
=
v5
v5
=
0
for
i
in
flag:
v5 ^
=
i
for
_
in
range
(
8
):
v9
=
2
*
v5
if
v9 >
127
:
v9 ^
=
128
+
7
v5
=
v9
xv
=
v5
import
numpy as np
ht
=
[]
for
i
in
range
(
256
):
v
=
np.int32(i)
for
_
in
range
(
8
):
v
=
(v >>
1
) ^ (np.int32(
-
0x12477CE0
)
if
(v &
1
) !
=
0
else
0
)
ht.append(v)
hv
=
np.int32(
-
1
)
for
k
in
flag:
hv
=
ht[np.uint8(np.int8(k) ^ hv)] ^ (hv >>
8
)
hv
=
~hv
import
numpy as np
ht
=
[]
for
i
in
range
(
256
):
v
=
np.int32(i)
for
_
in
range
(
8
):
v
=
(v >>
1
) ^ (np.int32(
-
0x12477CE0
)
if
(v &
1
) !
=
0
else
0
)
ht.append(v)
hv
=
np.int32(
-
1
)
for
k
in
flag:
hv
=
ht[np.uint8(np.int8(k) ^ hv)] ^ (hv >>
8
)
hv
=
~hv
def
dec(c):
if
c >
=
0x3a
:
return
c
-
55
return
c
-
48
def
dec(c):
if
c >
=
0x3a
:
return
c
-
55
return
c
-
48
v33
=
[
0
]
for
i
in
range
(
1
,
200
):
if
(xv &
1
) !
=
0
:
xv
=
3
*
xv
+
1
else
:
xv >>
=
1
v33.append(xv)
v17
=
v33[
198
] | v33[
197
] | v33[
196
]
v33
=
[
0
]
for
i
in
range
(
1
,
200
):
if
(xv &
1
) !
=
0
:
xv
=
3
*
xv
+
1
else
:
xv >>
=
1
v33.append(xv)
v17
=
v33[
198
] | v33[
197
] | v33[
196
]
p2_len
=
v17
+
2
u
=
sorted
(
ID
[
7
:
7
+
p2_len])
dst
=
b
'1234567890_ABCDEFGHIJKLMNOPQRSTUVWXYZ'
for
i
in
range
(p2_len):
assert
dec(dst[i])
=
=
u[i]
p2_len
=
v17
+
2
u
=
sorted
(
ID
[
7
:
7
+
p2_len])
dst
=
b
'1234567890_ABCDEFGHIJKLMNOPQRSTUVWXYZ'
for
i
in
range
(p2_len):
assert
dec(dst[i])
=
=
u[i]
p2_len
=
v17
+
2
v37
=
0
for
i
in
range
(p2_len):
v23
=
ID
[
7
+
i]
+
10
*
v37
v23 &
=
0xffffffff
v37
=
v23
if
v23 <
=
0x4B435445
else
v23
-
0x37373737
v37 &
=
0xffffffff
assert
v37
%
(i
+
1
)
=
=
0
p2_len
=
v17
+
2
v37
=
0
for
i
in
range
(p2_len):
v23
=
ID
[
7
+
i]
+
10
*
v37
v23 &
=
0xffffffff
v37
=
v23
if
v23 <
=
0x4B435445
else
v23
-
0x37373737
v37 &
=
0xffffffff
assert
v37
%
(i
+
1
)
=
=
0
def
check(uu):
def
dfs(cur, leng):
if
leng !
=
0
and
cur
%
leng !
=
0
:
return
if
leng
=
=
uu:
print
(cur)
return
u
=
str
(cur)[:leng]
for
i
in
range
(
1
, uu
+
1
):
if
str
(i)
in
u:
continue
dfs(cur
*
10
+
i, leng
+
1
)
dfs(
0
,
0
)
for
i
in
range
(
10
):
check(i)
"""
output:
1
12
123
321
123654
321654
38165472
381654729
"""
def
check(uu):
def
dfs(cur, leng):
if
leng !
=
0
and
cur
%
leng !
=
0
:
return
if
leng
=
=
uu:
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
赞赏
他的文章
看原图
赞赏
雪币:
留言: