-
-
[原创]第二题 末日邀请
-
2022-5-12 11:59
-
文件没壳,拖入IDA分析。
刚开始对字符串进行运算,这部分重要的结果是v10。
对字符串进行处理。处理方式是如果不大于0x 3A则减0x30,大于则减0x37。字符串大值应该大于0x30,即字符0以上。
前面得出的v10值会在后面进行赋初值运算,这里的v13是前面v10的结果。这部分运算会取最后的三位进行或得到结果和输入字符串处理后的前三位异或进行对比,应该一致。这部分赋初值的运算结果如果初值是正数(小于0x80,且不为0)则数组最后的结果是0x4,0x2,0x1的循环。所以后面三位的或结果定为7。即字符串前三位处理后异或结果为7。
这部分对比处理过的字符串的第4-7位,换算下来固定为KCTF。
这部分是长度计算。v17是前面的结果7,v18是字符串长度。v19结果则9。v18-v19-7的意思是减掉7(前三位校验+KCTF长度),减掉9(字符串中可能的另一校验部分),剩下的长度做其他处理对比。
寻找v19这部分这部分逆着看会和字符串1234567890_ABCDEFGHIJKLMNOPQRSTUVWXYZ顺序对比,所以这9位一定是1-9的字符。
对比之前是排序,所以这9位顺序不一定。
在排序前这就是确定数字位置的算法了,红框的是障眼法,9位数肯定小于1262703685。算法是从第一位开始取,每次和前面取的组成一个整数,直到第九位,且每次取组成的数能够整除取的次数。这个可以通过程序求出唯一解:381654729。
求解程序如下,首先是1-9的全排列,然后寻找符合条件的值:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 | public static void Permutation(int[] arr, int m, int n){ if (m < n - 1) { Permutation(arr, m + 1, n); for (var i = m + 1; i < n; i++) { var t = arr[m]; arr[m] = arr[i]; arr[i] = t; Permutation(arr, m + 1, n); t = arr[m]; arr[m] = arr[i]; arr[i] = t; } } else { int intnow = 0; foreach (var item in arr) { intnow = intnow \* 10 + item; } int div = 10; int temp = intnow; for (int j = div; j > 1;) { j--; if (temp % j != 0) { break; } if (j == 1) { Console.WriteLine(intnow); } else { temp = temp / 10; } } }} |
寻找v20这部分会做异或对比,两个固定数组前几位是,从第三位开始异或结果为0x91不可能为字符串处理的结果,所以v20的长度取值只能为0,1,2。
CE D2 2C BA AB
CE D2 B1 B2 B6
到这一步的推论,正确的解应该是xxxKCTF381654729[xx],这样的形式。
最开始的字符串有类似CRC处理,得到最后结果会做最后校验,以确保字符串唯一性。校验值为0xF52E0765。
到这一步基本上条件确定了,然后用程序求解,最后得到结果421KCTF381654729。
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 | static byte[] hexData = { 0x00, 0x00, 0x00, 0x00, 0x96, 0x30, 0x07, 0x09, 0x2C, 0x61, 0x0E, 0x12, 0xBA, 0x51, 0x09, 0x1B, 0x19, 0xC4, 0x6D, 0xFF, 0x8F, 0xF4, 0x6A, 0xF6, 0x35, 0xA5, 0x63, 0xED, 0xA3, 0x95, 0x64, 0xE4, 0x32, 0x88, 0xDB, 0xFE, 0xA4, 0xB8, 0xDC, 0xF7, 0x1E, 0xE9, 0xD5, 0xEC, 0x88, 0xD9, 0xD2, 0xE5, 0x2B, 0x4C, 0xB6, 0x01, 0xBD, 0x7C, 0xB1, 0x08, 0x07, 0x2D, 0xB8, 0x13, 0x91, 0x1D, 0xBF, 0x1A, 0x64, 0x10, 0xB7, 0xFD, 0xF2, 0x20, 0xB0, 0xF4, 0x48, 0x71, 0xB9, 0xEF, 0xDE, 0x41, 0xBE, 0xE6, 0x7D, 0xD4, 0xDA, 0x02, 0xEB, 0xE4, 0xDD, 0x0B, 0x51, 0xB5, 0xD4, 0x10, 0xC7, 0x85, 0xD3, 0x19, 0x56, 0x98, 0x6C, 0x03, 0xC0, 0xA8, 0x6B, 0x0A, 0x7A, 0xF9, 0x62, 0x11, 0xEC, 0xC9, 0x65, 0x18, 0x4F, 0x5C, 0x01, 0xFC, 0xD9, 0x6C, 0x06, 0xF5, 0x63, 0x3D, 0x0F, 0xEE, 0xF5, 0x0D, 0x08, 0xE7, 0xC8, 0x20, 0x6E, 0xFB, 0x5E, 0x10, 0x69, 0xF2, 0xE4, 0x41, 0x60, 0xE9, 0x72, 0x71, 0x67, 0xE0, 0xD1, 0xE4, 0x03, 0x04, 0x47, 0xD4, 0x04, 0x0D, 0xFD, 0x85, 0x0D, 0x16, 0x6B, 0xB5, 0x0A, 0x1F, 0xFA, 0xA8, 0xB5, 0x05, 0x6C, 0x98, 0xB2, 0x0C, 0xD6, 0xC9, 0xBB, 0x17, 0x40, 0xF9, 0xBC, 0x1E, 0xE3, 0x6C, 0xD8, 0xFA, 0x75, 0x5C, 0xDF, 0xF3, 0xCF, 0x0D, 0xD6, 0xE8, 0x59, 0x3D, 0xD1, 0xE1, 0xAC, 0x30, 0xD9, 0x06, 0x3A, 0x00, 0xDE, 0x0F, 0x80, 0x51, 0xD7, 0x14, 0x16, 0x61, 0xD0, 0x1D, 0xB5, 0xF4, 0xB4, 0xF9, 0x23, 0xC4, 0xB3, 0xF0, 0x99, 0x95, 0xBA, 0xEB, 0x0F, 0xA5, 0xBD, 0xE2, 0x9E, 0xB8, 0x02, 0xF8, 0x08, 0x88, 0x05, 0xF1, 0xB2, 0xD9, 0x0C, 0xEA, 0x24, 0xE9, 0x0B, 0xE3, 0x87, 0x7C, 0x6F, 0x07, 0x11, 0x4C, 0x68, 0x0E, 0xAB, 0x1D, 0x61, 0x15, 0x3D, 0x2D, 0x66, 0x1C, 0x90, 0x41, 0xDC, 0xF6, 0x06, 0x71, 0xDB, 0xFF, 0xBC, 0x20, 0xD2, 0xE4, 0x2A, 0x10, 0xD5, 0xED, 0x89, 0x85, 0xB1, 0x09, 0x1F, 0xB5, 0xB6, 0x00, 0xA5, 0xE4, 0xBF, 0x1B, 0x33, 0xD4, 0xB8, 0x12, 0xA2, 0xC9, 0x07, 0x08, 0x34, 0xF9, 0x00, 0x01, 0x8E, 0xA8, 0x09, 0x1A, 0x18, 0x98, 0x0E, 0x13, 0xBB, 0x0D, 0x6A, 0xF7, 0x2D, 0x3D, 0x6D, 0xFE, 0x97, 0x6C, 0x64, 0xE5, 0x01, 0x5C, 0x63, 0xEC, 0xF4, 0x51, 0x6B, 0x0B, 0x62, 0x61, 0x6C, 0x02, 0xD8, 0x30, 0x65, 0x19, 0x4E, 0x00, 0x62, 0x10, 0xED, 0x95, 0x06, 0xF4, 0x7B, 0xA5, 0x01, 0xFD, 0xC1, 0xF4, 0x08, 0xE6, 0x57, 0xC4, 0x0F, 0xEF, 0xC6, 0xD9, 0xB0, 0xF5, 0x50, 0xE9, 0xB7, 0xFC, 0xEA, 0xB8, 0xBE, 0xE7, 0x7C, 0x88, 0xB9, 0xEE, 0xDF, 0x1D, 0xDD, 0x0A, 0x49, 0x2D, 0xDA, 0x03, 0xF3, 0x7C, 0xD3, 0x18, 0x65, 0x4C, 0xD4, 0x11, 0x58, 0x61, 0xB2, 0x0D, 0xCE, 0x51, 0xB5, 0x04, 0x74, 0x00, 0xBC, 0x1F, 0xE2, 0x30, 0xBB, 0x16, 0x41, 0xA5, 0xDF, 0xF2, 0xD7, 0x95, 0xD8, 0xFB, 0x6D, 0xC4, 0xD1, 0xE0, 0xFB, 0xF4, 0xD6, 0xE9, 0x6A, 0xE9, 0x69, 0xF3, 0xFC, 0xD9, 0x6E, 0xFA, 0x46, 0x88, 0x67, 0xE1, 0xD0, 0xB8, 0x60, 0xE8, 0x73, 0x2D, 0x04, 0x0C, 0xE5, 0x1D, 0x03, 0x05, 0x5F, 0x4C, 0x0A, 0x1E, 0xC9, 0x7C, 0x0D, 0x17, 0x3C, 0x71, 0x05, 0xF0, 0xAA, 0x41, 0x02, 0xF9, 0x10, 0x10, 0x0B, 0xE2, 0x86, 0x20, 0x0C, 0xEB, 0x25, 0xB5, 0x68, 0x0F, 0xB3, 0x85, 0x6F, 0x06, 0x09, 0xD4, 0x66, 0x1D, 0x9F, 0xE4, 0x61, 0x14, 0x0E, 0xF9, 0xDE, 0x0E, 0x98, 0xC9, 0xD9, 0x07, 0x22, 0x98, 0xD0, 0x1C, 0xB4, 0xA8, 0xD7, 0x15, 0x17, 0x3D, 0xB3, 0xF1, 0x81, 0x0D, 0xB4, 0xF8, 0x3B, 0x5C, 0xBD, 0xE3, 0xAD, 0x6C, 0xBA, 0xEA, 0x20, 0x83, 0xB8, 0xED, 0xB6, 0xB3, 0xBF, 0xE4, 0x0C, 0xE2, 0xB6, 0xFF, 0x9A, 0xD2, 0xB1, 0xF6, 0x39, 0x47, 0xD5, 0x12, 0xAF, 0x77, 0xD2, 0x1B, 0x15, 0x26, 0xDB, 0x00, 0x83, 0x16, 0xDC, 0x09, 0x12, 0x0B, 0x63, 0x13, 0x84, 0x3B, 0x64, 0x1A, 0x3E, 0x6A, 0x6D, 0x01, 0xA8, 0x5A, 0x6A, 0x08, 0x0B, 0xCF, 0x0E, 0xEC, 0x9D, 0xFF, 0x09, 0xE5, 0x27, 0xAE, 0x00, 0xFE, 0xB1, 0x9E, 0x07, 0xF7, 0x44, 0x93, 0x0F, 0x10, 0xD2, 0xA3, 0x08, 0x19, 0x68, 0xF2, 0x01, 0x02, 0xFE, 0xC2, 0x06, 0x0B, 0x5D, 0x57, 0x62, 0xEF, 0xCB, 0x67, 0x65, 0xE6, 0x71, 0x36, 0x6C, 0xFD, 0xE7, 0x06, 0x6B, 0xF4, 0x76, 0x1B, 0xD4, 0xEE, 0xE0, 0x2B, 0xD3, 0xE7, 0x5A, 0x7A, 0xDA, 0xFC, 0xCC, 0x4A, 0xDD, 0xF5, 0x6F, 0xDF, 0xB9, 0x11, 0xF9, 0xEF, 0xBE, 0x18, 0x43, 0xBE, 0xB7, 0x03, 0xD5, 0x8E, 0xB0, 0x0A, 0xE8, 0xA3, 0xD6, 0x16, 0x7E, 0x93, 0xD1, 0x1F, 0xC4, 0xC2, 0xD8, 0x04, 0x52, 0xF2, 0xDF, 0x0D, 0xF1, 0x67, 0xBB, 0xE9, 0x67, 0x57, 0xBC, 0xE0, 0xDD, 0x06, 0xB5, 0xFB, 0x4B, 0x36, 0xB2, 0xF2, 0xDA, 0x2B, 0x0D, 0xE8, 0x4C, 0x1B, 0x0A, 0xE1, 0xF6, 0x4A, 0x03, 0xFA, 0x60, 0x7A, 0x04, 0xF3, 0xC3, 0xEF, 0x60, 0x17, 0x55, 0xDF, 0x67, 0x1E, 0xEF, 0x8E, 0x6E, 0x05, 0x79, 0xBE, 0x69, 0x0C, 0x8C, 0xB3, 0x61, 0xEB, 0x1A, 0x83, 0x66, 0xE2, 0xA0, 0xD2, 0x6F, 0xF9, 0x36, 0xE2, 0x68, 0xF0, 0x95, 0x77, 0x0C, 0x14, 0x03, 0x47, 0x0B, 0x1D, 0xB9, 0x16, 0x02, 0x06, 0x2F, 0x26, 0x05, 0x0F, 0xBE, 0x3B, 0xBA, 0x15, 0x28, 0x0B, 0xBD, 0x1C, 0x92, 0x5A, 0xB4, 0x07, 0x04, 0x6A, 0xB3, 0x0E, 0xA7, 0xFF, 0xD7, 0xEA, 0x31, 0xCF, 0xD0, 0xE3, 0x8B, 0x9E, 0xD9, 0xF8, 0x1D, 0xAE, 0xDE, 0xF1, 0xB0, 0xC2, 0x64, 0x1B, 0x26, 0xF2, 0x63, 0x12, 0x9C, 0xA3, 0x6A, 0x09, 0x0A, 0x93, 0x6D, 0x00, 0xA9, 0x06, 0x09, 0xE4, 0x3F, 0x36, 0x0E, 0xED, 0x85, 0x67, 0x07, 0xF6, 0x13, 0x57, 0x00, 0xFF, 0x82, 0x4A, 0xBF, 0xE5, 0x14, 0x7A, 0xB8, 0xEC, 0xAE, 0x2B, 0xB1, 0xF7, 0x38, 0x1B, 0xB6, 0xFE, 0x9B, 0x8E, 0xD2, 0x1A, 0x0D, 0xBE, 0xD5, 0x13, 0xB7, 0xEF, 0xDC, 0x08, 0x21, 0xDF, 0xDB, 0x01, 0xD4, 0xD2, 0xD3, 0xE6, 0x42, 0xE2, 0xD4, 0xEF, 0xF8, 0xB3, 0xDD, 0xF4, 0x6E, 0x83, 0xDA, 0xFD, 0xCD, 0x16, 0xBE, 0x19, 0x5B, 0x26, 0xB9, 0x10, 0xE1, 0x77, 0xB0, 0x0B, 0x77, 0x47, 0xB7, 0x02, 0xE6, 0x5A, 0x08, 0x18, 0x70, 0x6A, 0x0F, 0x11, 0xCA, 0x3B, 0x06, 0x0A, 0x5C, 0x0B, 0x01, 0x03, 0xFF, 0x9E, 0x65, 0xE7, 0x69, 0xAE, 0x62, 0xEE, 0xD3, 0xFF, 0x6B, 0xF5, 0x45, 0xCF, 0x6C, 0xFC, 0x78, 0xE2, 0x0A, 0xE0, 0xEE, 0xD2, 0x0D, 0xE9, 0x54, 0x83, 0x04, 0xF2, 0xC2, 0xB3, 0x03, 0xFB, 0x61, 0x26, 0x67, 0x1F, 0xF7, 0x16, 0x60, 0x16, 0x4D, 0x47, 0x69, 0x0D, 0xDB, 0x77, 0x6E, 0x04, 0x4A, 0x6A, 0xD1, 0x1E, 0xDC, 0x5A, 0xD6, 0x17, 0x66, 0x0B, 0xDF, 0x0C, 0xF0, 0x3B, 0xD8, 0x05, 0x53, 0xAE, 0xBC, 0xE1, 0xC5, 0x9E, 0xBB, 0xE8, 0x7F, 0xCF, 0xB2, 0xF3, 0xE9, 0xFF, 0xB5, 0xFA, 0x1C, 0xF2, 0xBD, 0x1D, 0x8A, 0xC2, 0xBA, 0x14, 0x30, 0x93, 0xB3, 0x0F, 0xA6, 0xA3, 0xB4, 0x06, 0x05, 0x36, 0xD0, 0xE2, 0x93, 0x06, 0xD7, 0xEB, 0x29, 0x57, 0xDE, 0xF0, 0xBF, 0x67, 0xD9, 0xF9, 0x2E, 0x7A, 0x66, 0xE3, 0xB8, 0x4A, 0x61, 0xEA, 0x02, 0x1B, 0x68, 0xF1, 0x94, 0x2B, 0x6F, 0xF8, 0x37, 0xBE, 0x0B, 0x1C, 0xA1, 0x8E, 0x0C, 0x15, 0x1B, 0xDF, 0x05, 0x0E, 0x8D, 0xEF, 0x02, 0x07}; static UInt32[] crcTable = new UInt32[256]; public static uint GetCRC32(byte[] bytes) { uint iCount = (uint)bytes.Length; uint crc = 0xFFFFFFFF; for (uint i = 0; i < iCount; i++) { bool flag = (crc & 0x80000000) > 0; crc = crcTable[(byte)((crc) ^ bytes[i])] ^ (crc >> 8 | (flag ? (0xFF000000): (0x00000000))) ; } return \~crc; } static void Main(string[] args) { for (int i = 0; i < 256; i++) { crcTable[i] = BitConverter.ToUInt32(hexData, i \* 4); } string psb1 = "KCTF38165472900"; string psb2 = "KCTF3816547290"; string psb3 = "KCTF381654729"; byte[] psb1b = Encoding.Default.GetBytes(psb1); byte[] psb2b = Encoding.Default.GetBytes(psb2); byte[] psb3b = Encoding.Default.GetBytes(psb3); for (int i = 48; i < 127; i++) { for (int j = 48; j < 127; j++) { for (int k = 48; k < 127; k++) { int ii = i, jj = j,kk=k; ii = ii >= 58 ? (ii - 55) : (ii - 48); jj = jj >= 58 ? (jj - 55) : (jj - 48); kk = kk >= 58 ? (kk - 55) : (kk - 48); if ((ii ^ jj ^ kk) == 7) { byte[] prefix = new byte[] {(byte)i, (byte)j, (byte)k }; byte[] test1 = new byte[psb1b.Length + prefix.Length]; byte[] test2 = new byte[psb2b.Length + prefix.Length]; byte[] test3= new byte[psb3b.Length + prefix.Length]; Array.Copy(prefix, 0, test1, 0, 3); Array.Copy(psb1b, 0, test1, 3, psb1b.Length); Array.Copy(prefix, 0, test2, 0, 3); Array.Copy(psb2b, 0, test2, 3, psb2b.Length); Array.Copy(prefix, 0, test3, 0, 3); Array.Copy(psb3b, 0, test3, 3, psb3b.Length); uint crc = GetCRC32(test1); if (crc == 0xF52E0765) { Console.WriteLine(Encoding.Default.GetString(test1)); } crc = GetCRC32(test2); if (crc == 0xF52E0765) { Console.WriteLine(Encoding.Default.GetString(test2)); } crc = GetCRC32(test3); if (crc == 0xF52E0765) { Console.WriteLine(Encoding.Default.GetString(test3)); } } } } } } |
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2022-5-12 12:05
被xwwei编辑
,原因:
|
|
|---|---|
