-
-
[原创]2022KCTF春季赛 第二题 末日邀请
-
2022-5-13 01:04 11121
-
首先对输入进行CRC32计算,有魔改,到最后一步会去验证CRC是不是为0xF52E0765,这个需要爆破
对输入加密,加密算法简单,对于每一个字符,a>=0x3A?a-=0x37:a-=0x30
第1处验证:输入的前3个做xor运算,最后结果可能有以下情况
0,7,-1,-17,-4,-41,-5,-37,-2,-49,-17,-3
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 | #include<stdio.h> int main(){ int mat[ 200 ] = { 0 }; for ( int num = 0 ;num< = 255 ;num + + ){ int temp = (char)num; for ( int i = 1 ;i< 200 ;i + + ){ if ((temp & 1 )! = 0 ){ temp = 3 * temp + 1 ; } else { temp = temp >> 1 ; } mat[i] = temp; } printf( "%d %d\n" ,num,mat[ 198 ] | mat[ 197 ] | mat[ 196 ]); } } |
此处先跳过,最后再爆破
第2处验证:判断加密后是不是一个固定值,求出来KCTF
第3处验证:结合之前的运算结果数值+2,读取指定长度的输入,转换为数字运算,输入进行排序,排序结果和指定长度的字符串加密后结果相同,爆破代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 | #include<stdio.h> int N[] = { 1e9 , 1e8 , 1e7 , 1e6 , 1e5 , 1e4 , 1e3 , 1e2 , 1e1 , 1e0 }; int check2( int num){ int n[ 10 ] = { 0 }; for ( int k = 1 ;k< = 9 ;k + + ){ int p = (num / N[k]) % 10 ; if (p = = 0 || n[p] = = 1 ){ return 0 ; } n[p] = 1 ; } return 1 ; } int main(){ for ( int i = 123456789 ;i< = 987654321 ;i + + ){ int num = i; int result = 1 ; int n = 0 ; for ( int k = 1 ;k< = 9 ;k + + ){ int t = (num / N[k]) % 10 ; n = n * 10 + t; if (n> 0x4B435445 ){ n - = 0x37373737 ; } if (n % k){ result = 0 ; break ; } } if (result){ if (check2(num)){ printf( "%d\n" ,num); } } } return 0 ; } |
得到结果381654729,当然1,12,空串 也符合
第4处验证:判断剩下的字符串长度是否为8的倍数,进行加密,最后xor判断结果
这个加密求解不出来,留空,或者 00 可以通过验证
最后爆破CRC ???KCTF38165472900 or ???KCTF1200 or ???KCTF100 or ???KCTF00
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 | # include <stdio.h> # include <stdlib.h> static unsigned long Crc32_ComputeBuf(unsigned long inCrc32, const void * buf, size_t bufLen) { static const int crcTable[ 256 ] = { 0x00000000 , 0x09073096 , 0x120E612C , 0x1B0951BA , 0xFF6DC419 , 0xF66AF48F , 0xED63A535 , 0xE46495A3 , 0xFEDB8832 , 0xF7DCB8A4 , 0xECD5E91E , 0xE5D2D988 , 0x01B64C2B , 0x08B17CBD , 0x13B82D07 , 0x1ABF1D91 , 0xFDB71064 , 0xF4B020F2 , 0xEFB97148 , 0xE6BE41DE , 0x02DAD47D , 0x0BDDE4EB , 0x10D4B551 , 0x19D385C7 , 0x036C9856 , 0x0A6BA8C0 , 0x1162F97A , 0x1865C9EC , 0xFC015C4F , 0xF5066CD9 , 0xEE0F3D63 , 0xE7080DF5 , 0xFB6E20C8 , 0xF269105E , 0xE96041E4 , 0xE0677172 , 0x0403E4D1 , 0x0D04D447 , 0x160D85FD , 0x1F0AB56B , 0x05B5A8FA , 0x0CB2986C , 0x17BBC9D6 , 0x1EBCF940 , 0xFAD86CE3 , 0xF3DF5C75 , 0xE8D60DCF , 0xE1D13D59 , 0x06D930AC , 0x0FDE003A , 0x14D75180 , 0x1DD06116 , 0xF9B4F4B5 , 0xF0B3C423 , 0xEBBA9599 , 0xE2BDA50F , 0xF802B89E , 0xF1058808 , 0xEA0CD9B2 , 0xE30BE924 , 0x076F7C87 , 0x0E684C11 , 0x15611DAB , 0x1C662D3D , 0xF6DC4190 , 0xFFDB7106 , 0xE4D220BC , 0xEDD5102A , 0x09B18589 , 0x00B6B51F , 0x1BBFE4A5 , 0x12B8D433 , 0x0807C9A2 , 0x0100F934 , 0x1A09A88E , 0x130E9818 , 0xF76A0DBB , 0xFE6D3D2D , 0xE5646C97 , 0xEC635C01 , 0x0B6B51F4 , 0x026C6162 , 0x196530D8 , 0x1062004E , 0xF40695ED , 0xFD01A57B , 0xE608F4C1 , 0xEF0FC457 , 0xF5B0D9C6 , 0xFCB7E950 , 0xE7BEB8EA , 0xEEB9887C , 0x0ADD1DDF , 0x03DA2D49 , 0x18D37CF3 , 0x11D44C65 , 0x0DB26158 , 0x04B551CE , 0x1FBC0074 , 0x16BB30E2 , 0xF2DFA541 , 0xFBD895D7 , 0xE0D1C46D , 0xE9D6F4FB , 0xF369E96A , 0xFA6ED9FC , 0xE1678846 , 0xE860B8D0 , 0x0C042D73 , 0x05031DE5 , 0x1E0A4C5F , 0x170D7CC9 , 0xF005713C , 0xF90241AA , 0xE20B1010 , 0xEB0C2086 , 0x0F68B525 , 0x066F85B3 , 0x1D66D409 , 0x1461E49F , 0x0EDEF90E , 0x07D9C998 , 0x1CD09822 , 0x15D7A8B4 , 0xF1B33D17 , 0xF8B40D81 , 0xE3BD5C3B , 0xEABA6CAD , 0xEDB88320 , 0xE4BFB3B6 , 0xFFB6E20C , 0xF6B1D29A , 0x12D54739 , 0x1BD277AF , 0x00DB2615 , 0x09DC1683 , 0x13630B12 , 0x1A643B84 , 0x016D6A3E , 0x086A5AA8 , 0xEC0ECF0B , 0xE509FF9D , 0xFE00AE27 , 0xF7079EB1 , 0x100F9344 , 0x1908A3D2 , 0x0201F268 , 0x0B06C2FE , 0xEF62575D , 0xE66567CB , 0xFD6C3671 , 0xF46B06E7 , 0xEED41B76 , 0xE7D32BE0 , 0xFCDA7A5A , 0xF5DD4ACC , 0x11B9DF6F , 0x18BEEFF9 , 0x03B7BE43 , 0x0AB08ED5 , 0x16D6A3E8 , 0x1FD1937E , 0x04D8C2C4 , 0x0DDFF252 , 0xE9BB67F1 , 0xE0BC5767 , 0xFBB506DD , 0xF2B2364B , 0xE80D2BDA , 0xE10A1B4C , 0xFA034AF6 , 0xF3047A60 , 0x1760EFC3 , 0x1E67DF55 , 0x056E8EEF , 0x0C69BE79 , 0xEB61B38C , 0xE266831A , 0xF96FD2A0 , 0xF068E236 , 0x140C7795 , 0x1D0B4703 , 0x060216B9 , 0x0F05262F , 0x15BA3BBE , 0x1CBD0B28 , 0x07B45A92 , 0x0EB36A04 , 0xEAD7FFA7 , 0xE3D0CF31 , 0xF8D99E8B , 0xF1DEAE1D , 0x1B64C2B0 , 0x1263F226 , 0x096AA39C , 0x006D930A , 0xE40906A9 , 0xED0E363F , 0xF6076785 , 0xFF005713 , 0xE5BF4A82 , 0xECB87A14 , 0xF7B12BAE , 0xFEB61B38 , 0x1AD28E9B , 0x13D5BE0D , 0x08DCEFB7 , 0x01DBDF21 , 0xE6D3D2D4 , 0xEFD4E242 , 0xF4DDB3F8 , 0xFDDA836E , 0x19BE16CD , 0x10B9265B , 0x0BB077E1 , 0x02B74777 , 0x18085AE6 , 0x110F6A70 , 0x0A063BCA , 0x03010B5C , 0xE7659EFF , 0xEE62AE69 , 0xF56BFFD3 , 0xFC6CCF45 , 0xE00AE278 , 0xE90DD2EE , 0xF2048354 , 0xFB03B3C2 , 0x1F672661 , 0x166016F7 , 0x0D69474D , 0x046E77DB , 0x1ED16A4A , 0x17D65ADC , 0x0CDF0B66 , 0x05D83BF0 , 0xE1BCAE53 , 0xE8BB9EC5 , 0xF3B2CF7F , 0xFAB5FFE9 , 0x1DBDF21C , 0x14BAC28A , 0x0FB39330 , 0x06B4A3A6 , 0xE2D03605 , 0xEBD70693 , 0xF0DE5729 , 0xF9D967BF , 0xE3667A2E , 0xEA614AB8 , 0xF1681B02 , 0xF86F2B94 , 0x1C0BBE37 , 0x150C8EA1 , 0x0E05DF1B , 0x0702EF8D }; signed int crc32; unsigned char * byteBuf; size_t i; / * * accumulate crc32 for buffer * * / crc32 = inCrc32 ^ 0xFFFFFFFF ; byteBuf = (unsigned char * ) buf; for (i = 0 ; i < bufLen; i + + ) { crc32 = (crc32 >> 8 ) ^ crcTable[(crc32 ^ byteBuf[i]) & 0xFF ]; / / printf( "%.8x\n" ,crc32); } return crc32 ^ 0xFFFFFFFF ; } / / [ 3 - 9 ] int main(){ unsigned char buf[ 100 ] = { 0x50 , 0x50 , 0x30 , 0x4b , 0x43 , 0x54 , 0x46 , 0x33 , 0x38 , 0x31 , 0x36 , 0x35 , 0x34 , 0x37 , 0x32 , 0x39 , 0x30 , 0x30 }; for ( int l = 16 ;l< = 18 ;l + + ){ for ( int a = 0 ;a< 0xff ;a + + ){ for ( int b = 0 ;b< 0xff ;b + + ){ for ( int c = 0 ;c< 0xff ;c + + ){ buf[ 0 ] = a; buf[ 1 ] = b; buf[ 2 ] = c; unsigned long result = Crc32_ComputeBuf( 0 ,buf,l); / / printf( "%.8x\n" ,result); if ((result ^ 0xF52E0765 ) = = 0 ){ buf[l] = 0 ; printf( "%s\n" ,buf); } } } } } return 0 ; } |
最后得到421KCTF381654729
赞赏
他的文章
看原图