首页
社区
课程
招聘
[原创]2022KCTF春季赛 第二题 末日邀请
2022-5-13 01:04 11121

[原创]2022KCTF春季赛 第二题 末日邀请

2022-5-13 01:04
11121

首先对输入进行CRC32计算,有魔改,到最后一步会去验证CRC是不是为0xF52E0765,这个需要爆破
图片描述
对输入加密,加密算法简单,对于每一个字符,a>=0x3A?a-=0x37:a-=0x30
图片描述
第1处验证:输入的前3个做xor运算,最后结果可能有以下情况
图片描述
0,7,-1,-17,-4,-41,-5,-37,-2,-49,-17,-3

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
#include<stdio.h>
 
int main(){
    int mat[200]={0};
    for(int num=0;num<=255;num++){
        int temp = (char)num;
        for(int i = 1;i<200;i++){
            if((temp & 1)!=0){
                temp = 3*temp+1;
            }else{
                temp = temp >> 1;
            }
            mat[i] = temp;
        }
        printf("%d %d\n",num,mat[198] | mat[197] | mat[196]);
    }
}

此处先跳过,最后再爆破

 

第2处验证:判断加密后是不是一个固定值,求出来KCTF
图片描述
第3处验证:结合之前的运算结果数值+2,读取指定长度的输入,转换为数字运算,输入进行排序,排序结果和指定长度的字符串加密后结果相同,爆破代码

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#include<stdio.h>
 
int N[]={1e9,1e8,1e7,1e6,1e5,1e4,1e3,1e2,1e1,1e0};
 
int check2(int num){
    int n[10]={0};
    for(int k=1;k<=9;k++){
        int p = (num/N[k])%10;
        if(p == 0 || n[p] == 1){
            return 0;
        }
        n[p] = 1;
    }
    return 1;
}
 
int main(){
    for(int i=123456789;i<=987654321;i++){
        int num = i;
        int result = 1;
        int n = 0;
        for(int k=1;k<=9;k++){
            int t = (num/N[k])%10;
            n = n*10+t;
            if(n>0x4B435445){
                n-=0x37373737;
            }
            if(n%k){
                result = 0;
                break;
            }
        }
        if(result){
            if(check2(num)){
                printf("%d\n",num);
            }
        }
    }
    return 0;
}

得到结果381654729,当然1,12,空串 也符合

 

第4处验证:判断剩下的字符串长度是否为8的倍数,进行加密,最后xor判断结果
这个加密求解不出来,留空,或者 00 可以通过验证

 

最后爆破CRC ???KCTF38165472900 or ???KCTF1200 or ???KCTF100 or ???KCTF00

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
# include <stdio.h>
# include <stdlib.h>
 
static unsigned long Crc32_ComputeBuf(unsigned long inCrc32, const void *buf, size_t bufLen) {
  static const int crcTable[256] = {
 
0x00000000, 0x09073096, 0x120E612C, 0x1B0951BA, 0xFF6DC419, 0xF66AF48F, 0xED63A535, 0xE46495A3,
0xFEDB8832, 0xF7DCB8A4, 0xECD5E91E, 0xE5D2D988, 0x01B64C2B, 0x08B17CBD, 0x13B82D07, 0x1ABF1D91,
0xFDB71064, 0xF4B020F2, 0xEFB97148, 0xE6BE41DE, 0x02DAD47D, 0x0BDDE4EB, 0x10D4B551, 0x19D385C7,
0x036C9856, 0x0A6BA8C0, 0x1162F97A, 0x1865C9EC, 0xFC015C4F, 0xF5066CD9, 0xEE0F3D63, 0xE7080DF5,
0xFB6E20C8, 0xF269105E, 0xE96041E4, 0xE0677172, 0x0403E4D1, 0x0D04D447, 0x160D85FD, 0x1F0AB56B,
0x05B5A8FA, 0x0CB2986C, 0x17BBC9D6, 0x1EBCF940, 0xFAD86CE3, 0xF3DF5C75, 0xE8D60DCF, 0xE1D13D59,
0x06D930AC, 0x0FDE003A, 0x14D75180, 0x1DD06116, 0xF9B4F4B5, 0xF0B3C423, 0xEBBA9599, 0xE2BDA50F,
0xF802B89E, 0xF1058808, 0xEA0CD9B2, 0xE30BE924, 0x076F7C87, 0x0E684C11, 0x15611DAB, 0x1C662D3D,
0xF6DC4190, 0xFFDB7106, 0xE4D220BC, 0xEDD5102A, 0x09B18589, 0x00B6B51F, 0x1BBFE4A5, 0x12B8D433,
0x0807C9A2, 0x0100F934, 0x1A09A88E, 0x130E9818, 0xF76A0DBB, 0xFE6D3D2D, 0xE5646C97, 0xEC635C01,
0x0B6B51F4, 0x026C6162, 0x196530D8, 0x1062004E, 0xF40695ED, 0xFD01A57B, 0xE608F4C1, 0xEF0FC457,
0xF5B0D9C6, 0xFCB7E950, 0xE7BEB8EA, 0xEEB9887C, 0x0ADD1DDF, 0x03DA2D49, 0x18D37CF3, 0x11D44C65,
0x0DB26158, 0x04B551CE, 0x1FBC0074, 0x16BB30E2, 0xF2DFA541, 0xFBD895D7, 0xE0D1C46D, 0xE9D6F4FB,
0xF369E96A, 0xFA6ED9FC, 0xE1678846, 0xE860B8D0, 0x0C042D73, 0x05031DE5, 0x1E0A4C5F, 0x170D7CC9,
0xF005713C, 0xF90241AA, 0xE20B1010, 0xEB0C2086, 0x0F68B525, 0x066F85B3, 0x1D66D409, 0x1461E49F,
0x0EDEF90E, 0x07D9C998, 0x1CD09822, 0x15D7A8B4, 0xF1B33D17, 0xF8B40D81, 0xE3BD5C3B, 0xEABA6CAD,
0xEDB88320, 0xE4BFB3B6, 0xFFB6E20C, 0xF6B1D29A, 0x12D54739, 0x1BD277AF, 0x00DB2615, 0x09DC1683,
0x13630B12, 0x1A643B84, 0x016D6A3E, 0x086A5AA8, 0xEC0ECF0B, 0xE509FF9D, 0xFE00AE27, 0xF7079EB1,
0x100F9344, 0x1908A3D2, 0x0201F268, 0x0B06C2FE, 0xEF62575D, 0xE66567CB, 0xFD6C3671, 0xF46B06E7,
0xEED41B76, 0xE7D32BE0, 0xFCDA7A5A, 0xF5DD4ACC, 0x11B9DF6F, 0x18BEEFF9, 0x03B7BE43, 0x0AB08ED5,
0x16D6A3E8, 0x1FD1937E, 0x04D8C2C4, 0x0DDFF252, 0xE9BB67F1, 0xE0BC5767, 0xFBB506DD, 0xF2B2364B,
0xE80D2BDA, 0xE10A1B4C, 0xFA034AF6, 0xF3047A60, 0x1760EFC3, 0x1E67DF55, 0x056E8EEF, 0x0C69BE79,
0xEB61B38C, 0xE266831A, 0xF96FD2A0, 0xF068E236, 0x140C7795, 0x1D0B4703, 0x060216B9, 0x0F05262F,
0x15BA3BBE, 0x1CBD0B28, 0x07B45A92, 0x0EB36A04, 0xEAD7FFA7, 0xE3D0CF31, 0xF8D99E8B, 0xF1DEAE1D,
0x1B64C2B0, 0x1263F226, 0x096AA39C, 0x006D930A, 0xE40906A9, 0xED0E363F, 0xF6076785, 0xFF005713,
0xE5BF4A82, 0xECB87A14, 0xF7B12BAE, 0xFEB61B38, 0x1AD28E9B, 0x13D5BE0D, 0x08DCEFB7, 0x01DBDF21,
0xE6D3D2D4, 0xEFD4E242, 0xF4DDB3F8, 0xFDDA836E, 0x19BE16CD, 0x10B9265B, 0x0BB077E1, 0x02B74777,
0x18085AE6, 0x110F6A70, 0x0A063BCA, 0x03010B5C, 0xE7659EFF, 0xEE62AE69, 0xF56BFFD3, 0xFC6CCF45,
0xE00AE278, 0xE90DD2EE, 0xF2048354, 0xFB03B3C2, 0x1F672661, 0x166016F7, 0x0D69474D, 0x046E77DB,
0x1ED16A4A, 0x17D65ADC, 0x0CDF0B66, 0x05D83BF0, 0xE1BCAE53, 0xE8BB9EC5, 0xF3B2CF7F, 0xFAB5FFE9,
0x1DBDF21C, 0x14BAC28A, 0x0FB39330, 0x06B4A3A6, 0xE2D03605, 0xEBD70693, 0xF0DE5729, 0xF9D967BF,
0xE3667A2E, 0xEA614AB8, 0xF1681B02, 0xF86F2B94, 0x1C0BBE37, 0x150C8EA1, 0x0E05DF1B, 0x0702EF8D
 
  };
  signed int crc32;
  unsigned char *byteBuf;
  size_t i;
 
  /** accumulate crc32 for buffer **/
  crc32 = inCrc32 ^ 0xFFFFFFFF;
  byteBuf = (unsigned char*) buf;
  for (i = 0; i < bufLen; i++) {
      crc32 = (crc32 >> 8) ^ crcTable[(crc32 ^ byteBuf[i]) & 0xFF];
      //printf("%.8x\n",crc32);
  }
  return crc32 ^ 0xFFFFFFFF;
}
 
//[3-9]
int main(){
    unsigned char buf[100]={0x50,0x50,0x30,0x4b,0x43,0x54,0x46,0x33,0x38,0x31,0x36,0x35,0x34,0x37,0x32,0x39,0x30,0x30};
    for(int l=16;l<=18;l++){
        for(int a=0;a<0xff;a++){
            for(int b=0;b<0xff;b++){
                for(int c=0;c<0xff;c++){
                    buf[0]=a;
                    buf[1]=b;
                    buf[2]=c;
                    unsigned long result = Crc32_ComputeBuf(0,buf,l);
                    //printf("%.8x\n",result);
                    if((result ^ 0xF52E0765) == 0){
                        buf[l]=0;
                        printf("%s\n",buf);
                    }
                }
            }
        }
    }
 
    return 0;
}

最后得到421KCTF381654729


[培训]《安卓高级研修班(网课)》月薪三万计划

收藏
点赞2
打赏
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回