首页
社区
课程
招聘
[原创]第二题WP
发表于: 2022-5-14 00:47 7488

[原创]第二题WP

2022-5-14 00:47
7488

Flag分成三部分,第一部分是三字节,需要满足0^1^2=7的约束,第二部分是KCTF字符,第三部分需要满足运算后能被1-9整除,直接上脚本很快可以爆破出结果。

import struct
import logging
import binascii
from itertools import permutations
import string
 
gkey_tmp = [0x00,0x00,0x00,0x00,0x96,0x30,0x07,0x09,0x2C,0x61,0x0E,0x12,0xBA,0x51,0x09,0x1B,0x19,0xC4,0x6D,0xFF,0x8F,0xF4,0x6A,0xF6,0x35,0xA5,0x63,0xED,0xA3,0x95,0x64,0xE4,0x32,0x88,0xDB,0xFE,0xA4,0xB8,0xDC,0xF7,0x1E,0xE9,0xD5,0xEC,0x88,0xD9,0xD2,0xE5,0x2B,0x4C,0xB6,0x01,0xBD,0x7C,0xB1,0x08,0x07,0x2D,0xB8,0x13,0x91,0x1D,0xBF,0x1A,0x64,0x10,0xB7,0xFD,0xF2,0x20,0xB0,0xF4,0x48,0x71,0xB9,0xEF,0xDE,0x41,0xBE,0xE6,0x7D,0xD4,0xDA,0x02,0xEB,0xE4,0xDD,0x0B,0x51,0xB5,0xD4,0x10,0xC7,0x85,0xD3,0x19,0x56,0x98,0x6C,0x03,0xC0,0xA8,0x6B,0x0A,0x7A,0xF9,0x62,0x11,0xEC,0xC9,0x65,0x18,0x4F,0x5C,0x01,0xFC,0xD9,0x6C,0x06,0xF5,0x63,0x3D,0x0F,0xEE,0xF5,0x0D,0x08,0xE7,0xC8,0x20,0x6E,0xFB,0x5E,0x10,0x69,0xF2,0xE4,0x41,0x60,0xE9,0x72,0x71,0x67,0xE0,0xD1,0xE4,0x03,0x04,0x47,0xD4,0x04,0x0D,0xFD,0x85,0x0D,0x16,0x6B,0xB5,0x0A,0x1F,0xFA,0xA8,0xB5,0x05,0x6C,0x98,0xB2,0x0C,0xD6,0xC9,0xBB,0x17,0x40,0xF9,0xBC,0x1E,0xE3,0x6C,0xD8,0xFA,0x75,0x5C,0xDF,0xF3,0xCF,0x0D,0xD6,0xE8,0x59,0x3D,0xD1,0xE1,0xAC,0x30,0xD9,0x06,0x3A,0x00,0xDE,0x0F,0x80,0x51,0xD7,0x14,0x16,0x61,0xD0,0x1D,0xB5,0xF4,0xB4,0xF9,0x23,0xC4,0xB3,0xF0,0x99,0x95,0xBA,0xEB,0x0F,0xA5,0xBD,0xE2,0x9E,0xB8,0x02,0xF8,0x08,0x88,0x05,0xF1,0xB2,0xD9,0x0C,0xEA,0x24,0xE9,0x0B,0xE3,0x87,0x7C,0x6F,0x07,0x11,0x4C,0x68,0x0E,0xAB,0x1D,0x61,0x15,0x3D,0x2D,0x66,0x1C,0x90,0x41,0xDC,0xF6,0x06,0x71,0xDB,0xFF,0xBC,0x20,0xD2,0xE4,0x2A,0x10,0xD5,0xED,0x89,0x85,0xB1,0x09,0x1F,0xB5,0xB6,0x00,0xA5,0xE4,0xBF,0x1B,0x33,0xD4,0xB8,0x12,0xA2,0xC9,0x07,0x08,0x34,0xF9,0x00,0x01,0x8E,0xA8,0x09,0x1A,0x18,0x98,0x0E,0x13,0xBB,0x0D,0x6A,0xF7,0x2D,0x3D,0x6D,0xFE,0x97,0x6C,0x64,0xE5,0x01,0x5C,0x63,0xEC,0xF4,0x51,0x6B,0x0B,0x62,0x61,0x6C,0x02,0xD8,0x30,0x65,0x19,0x4E,0x00,0x62,0x10,0xED,0x95,0x06,0xF4,0x7B,0xA5,0x01,0xFD,0xC1,0xF4,0x08,0xE6,0x57,0xC4,0x0F,0xEF,0xC6,0xD9,0xB0,0xF5,0x50,0xE9,0xB7,0xFC,0xEA,0xB8,0xBE,0xE7,0x7C,0x88,0xB9,0xEE,0xDF,0x1D,0xDD,0x0A,0x49,0x2D,0xDA,0x03,0xF3,0x7C,0xD3,0x18,0x65,0x4C,0xD4,0x11,0x58,0x61,0xB2,0x0D,0xCE,0x51,0xB5,0x04,0x74,0x00,0xBC,0x1F,0xE2,0x30,0xBB,0x16,0x41,0xA5,0xDF,0xF2,0xD7,0x95,0xD8,0xFB,0x6D,0xC4,0xD1,0xE0,0xFB,0xF4,0xD6,0xE9,0x6A,0xE9,0x69,0xF3,0xFC,0xD9,0x6E,0xFA,0x46,0x88,0x67,0xE1,0xD0,0xB8,0x60,0xE8,0x73,0x2D,0x04,0x0C,0xE5,0x1D,0x03,0x05,0x5F,0x4C,0x0A,0x1E,0xC9,0x7C,0x0D,0x17,0x3C,0x71,0x05,0xF0,0xAA,0x41,0x02,0xF9,0x10,0x10,0x0B,0xE2,0x86,0x20,0x0C,0xEB,0x25,0xB5,0x68,0x0F,0xB3,0x85,0x6F,0x06,0x09,0xD4,0x66,0x1D,0x9F,0xE4,0x61,0x14,0x0E,0xF9,0xDE,0x0E,0x98,0xC9,0xD9,0x07,0x22,0x98,0xD0,0x1C,0xB4,0xA8,0xD7,0x15,0x17,0x3D,0xB3,0xF1,0x81,0x0D,0xB4,0xF8,0x3B,0x5C,0xBD,0xE3,0xAD,0x6C,0xBA,0xEA,0x20,0x83,0xB8,0xED,0xB6,0xB3,0xBF,0xE4,0x0C,0xE2,0xB6,0xFF,0x9A,0xD2,0xB1,0xF6,0x39,0x47,0xD5,0x12,0xAF,0x77,0xD2,0x1B,0x15,0x26,0xDB,0x00,0x83,0x16,0xDC,0x09,0x12,0x0B,0x63,0x13,0x84,0x3B,0x64,0x1A,0x3E,0x6A,0x6D,0x01,0xA8,0x5A,0x6A,0x08,0x0B,0xCF,0x0E,0xEC,0x9D,0xFF,0x09,0xE5,0x27,0xAE,0x00,0xFE,0xB1,0x9E,0x07,0xF7,0x44,0x93,0x0F,0x10,0xD2,0xA3,0x08,0x19,0x68,0xF2,0x01,0x02,0xFE,0xC2,0x06,0x0B,0x5D,0x57,0x62,0xEF,0xCB,0x67,0x65,0xE6,0x71,0x36,0x6C,0xFD,0xE7,0x06,0x6B,0xF4,0x76,0x1B,0xD4,0xEE,0xE0,0x2B,0xD3,0xE7,0x5A,0x7A,0xDA,0xFC,0xCC,0x4A,0xDD,0xF5,0x6F,0xDF,0xB9,0x11,0xF9,0xEF,0xBE,0x18,0x43,0xBE,0xB7,0x03,0xD5,0x8E,0xB0,0x0A,0xE8,0xA3,0xD6,0x16,0x7E,0x93,0xD1,0x1F,0xC4,0xC2,0xD8,0x04,0x52,0xF2,0xDF,0x0D,0xF1,0x67,0xBB,0xE9,0x67,0x57,0xBC,0xE0,0xDD,0x06,0xB5,0xFB,0x4B,0x36,0xB2,0xF2,0xDA,0x2B,0x0D,0xE8,0x4C,0x1B,0x0A,0xE1,0xF6,0x4A,0x03,0xFA,0x60,0x7A,0x04,0xF3,0xC3,0xEF,0x60,0x17,0x55,0xDF,0x67,0x1E,0xEF,0x8E,0x6E,0x05,0x79,0xBE,0x69,0x0C,0x8C,0xB3,0x61,0xEB,0x1A,0x83,0x66,0xE2,0xA0,0xD2,0x6F,0xF9,0x36,0xE2,0x68,0xF0,0x95,0x77,0x0C,0x14,0x03,0x47,0x0B,0x1D,0xB9,0x16,0x02,0x06,0x2F,0x26,0x05,0x0F,0xBE,0x3B,0xBA,0x15,0x28,0x0B,0xBD,0x1C,0x92,0x5A,0xB4,0x07,0x04,0x6A,0xB3,0x0E,0xA7,0xFF,0xD7,0xEA,0x31,0xCF,0xD0,0xE3,0x8B,0x9E,0xD9,0xF8,0x1D,0xAE,0xDE,0xF1,0xB0,0xC2,0x64,0x1B,0x26,0xF2,0x63,0x12,0x9C,0xA3,0x6A,0x09,0x0A,0x93,0x6D,0x00,0xA9,0x06,0x09,0xE4,0x3F,0x36,0x0E,0xED,0x85,0x67,0x07,0xF6,0x13,0x57,0x00,0xFF,0x82,0x4A,0xBF,0xE5,0x14,0x7A,0xB8,0xEC,0xAE,0x2B,0xB1,0xF7,0x38,0x1B,0xB6,0xFE,0x9B,0x8E,0xD2,0x1A,0x0D,0xBE,0xD5,0x13,0xB7,0xEF,0xDC,0x08,0x21,0xDF,0xDB,0x01,0xD4,0xD2,0xD3,0xE6,0x42,0xE2,0xD4,0xEF,0xF8,0xB3,0xDD,0xF4,0x6E,0x83,0xDA,0xFD,0xCD,0x16,0xBE,0x19,0x5B,0x26,0xB9,0x10,0xE1,0x77,0xB0,0x0B,0x77,0x47,0xB7,0x02,0xE6,0x5A,0x08,0x18,0x70,0x6A,0x0F,0x11,0xCA,0x3B,0x06,0x0A,0x5C,0x0B,0x01,0x03,0xFF,0x9E,0x65,0xE7,0x69,0xAE,0x62,0xEE,0xD3,0xFF,0x6B,0xF5,0x45,0xCF,0x6C,0xFC,0x78,0xE2,0x0A,0xE0,0xEE,0xD2,0x0D,0xE9,0x54,0x83,0x04,0xF2,0xC2,0xB3,0x03,0xFB,0x61,0x26,0x67,0x1F,0xF7,0x16,0x60,0x16,0x4D,0x47,0x69,0x0D,0xDB,0x77,0x6E,0x04,0x4A,0x6A,0xD1,0x1E,0xDC,0x5A,0xD6,0x17,0x66,0x0B,0xDF,0x0C,0xF0,0x3B,0xD8,0x05,0x53,0xAE,0xBC,0xE1,0xC5,0x9E,0xBB,0xE8,0x7F,0xCF,0xB2,0xF3,0xE9,0xFF,0xB5,0xFA,0x1C,0xF2,0xBD,0x1D,0x8A,0xC2,0xBA,0x14,0x30,0x93,0xB3,0x0F,0xA6,0xA3,0xB4,0x06,0x05,0x36,0xD0,0xE2,0x93,0x06,0xD7,0xEB,0x29,0x57,0xDE,0xF0,0xBF,0x67,0xD9,0xF9,0x2E,0x7A,0x66,0xE3,0xB8,0x4A,0x61,0xEA,0x02,0x1B,0x68,0xF1,0x94,0x2B,0x6F,0xF8,0x37,0xBE,0x0B,0x1C,0xA1,0x8E,0x0C,0x15,0x1B,0xDF,0x05,0x0E,0x8D,0xEF,0x02,0x07]
 
# transform gkey
gkey_1 = []
for i in range(len(gkey_tmp)//4):
    b = gkey_tmp[i*4].to_bytes(1, 'little') +\
        gkey_tmp[i*4+1].to_bytes(1, 'little') +\
        gkey_tmp[i*4+2].to_bytes(1, 'little') +\
        gkey_tmp[i*4+3].to_bytes(1, 'little')
    num = struct.unpack("<I", b)[0]
    gkey_1.append(num)
 
assert len(gkey_1) == 256
 
# input should not be manipulated
 
 
def get_flag_0_7(f):
    tmp_v11 = -1;
    tmp_v11&=0xffffffff
 
    for i in range(len(f)):
 
        tmp_shift = tmp_v11
        for j in range(8):
            c = tmp_shift&0x80000000
            tmp_shift>>=1
            tmp_shift|=c
 
        # print("f[i]: {}".format(hex(ord(f[i]))))
        # print("key: {:x}".format(gkey_1[((tmp_v11&0xff) ^ ord(f[i])) & 0xff]))
        # print("sar: {}".format(hex(tmp_shift)))
        # print(hex(tmp_v11))
        # print("-----------------")
 
        tmp_v11 = gkey_1[((tmp_v11&0xff) ^ ord(f[i])) & 0xff] ^ (tmp_shift)
        tmp_v11&=0xffffffff
        #print(hex(tmp_v11))
 
 
    flag_0_7 = (~tmp_v11)&0xffffffff
    print("[-] get flag_0_7: 0x{:08X}".format(flag_0_7))
    if(not flag_0_7 == 0xF52E0765):
        print("[@] flag_0_7 should be 0xF52E0765!!!")
    return flag_0_7
 
# manipulate
 
 
def manipulate_flag(f):
    f_ = []
    for i in range(len(f)):
        c = 0x30
        if ord(f[i]) >= 0x3A:
            c = 0x37
        f_.append(ord(f[i])-c)
    return f_
 
 
def cal_whole_hash(f, l):
    v5 = 0
    v7 = 0
    l_count_1 = l
 
    while(l_count_1!=0):
        v5 ^= ord(f[v7])
        #print("v5:",hex(v5))
 
        l_count_1-=1
        v7+=1
        l_count_2 = 8
        while ( l_count_2 ):
            v9 = (2 * v5)&0xff
            #print("v9:",hex(v9))
 
            v10 = v9^7
            if ( v9 == 0 or v9<=0x7f ):
                v10 = v9
            v5 = v10&0xff
            #print("v10:",hex(v10))
            #print("v5(end):",hex(v10))
 
 
            l_count_2-=1
 
    hash_whole_arg = v10&0xff
    #print(hex(v10))
    if hash_whole_arg>0x7f:
        hash_whole_arg|=0xffffff00
 
    print("[-] hash whole flag: 0x{:02X}".format(hash_whole_arg))
    return hash_whole_arg
 
def cal_hash_3(flag, h_0):
    h = h_0
    v33 = [0,]
    for i in range(1,200):
        if (h&1)!=0:
            h = 3*h+1
            h &= 0xffffffff
        else:
            carry = h&0x80000000
            h >>=1
            h |= carry
            h &= 0xffffffff
 
        #print(hex(h))
        v33.append(h)
    print("[-] hash3 : 0x{:08X} 0x{:08X} 0x{:08X}".format(v33[198], v33[197], v33[196]))
    print("[*] hash3-> : 0x{:08X}".format(v33[198]|v33[197]|v33[196]))
    return (v33[198]|v33[197]|v33[196])
 
 
 
def run(flag_0):
    print("[*] input flag: {}".format(flag_0))
    flag_len = len(flag_0)
    print("[*] flag length: {}".format(flag_len))
    #assert flag_len==16
 
    flag_0_7 = get_flag_0_7(flag_0)
 
    if(flag_0_7 != 0xF52E0765):
        return -1
        pass
 
    hashw = cal_whole_hash(flag_0, flag_len)
 
    flag_1 = manipulate_flag(flag_0)
    print("[*] manipulated flag: ", flag_1)
 
    hash3 = cal_hash_3(flag_1, hashw)
    print("[@] {:08X} vs {:08X}".format((flag_1[2])^(flag_1[1])^(flag_1[0]), hash3))
 
    if (hash3 != (flag_1[2])^(flag_1[1])^(flag_1[0])):
        return -1
        pass
 
    #@#############
    #@#############
    #@#############
    return 0
    pass
    #@#############
    #@#############
    #@#############
 
    #assert hash3[198]^hash3[197]^hash3[196] == (flag_1[2])^(flag_1[1])^(flag_1[0])
 
    ans_0_1_2 = hash3
    v19 = ans_0_1_2+2
    flag_ = flag_len - v19 - 7
    print("[-] v19 : {:x}".format(v19))
    print("[-] flag_ : {:x}".format(flag_))
 
    assert flag_1[3] == 0x14
    assert flag_1[4] == 0xC
    assert flag_1[5] == 0x1D
    assert flag_1[6] == 0xF
 
    ## check flag [7]~[15]
    v37 = 0
    counter = 1
    for i in range(7,16):
        v23 = flag_1[i]+10*v37
        v24 = v23 - 0x37373737
        if ( v23 <= 0x4B435445 ):
            v24 = v23
        v37 = v24
        print("[_] v24({})/counter({})={}".format(v24, counter, v24%counter))
 
        if(v24%counter):
            print("[X] v24({}) should be multiple of counter({})".format(v24, counter))
            print("[X] but result is : {}".format(v24%counter))
            return -1
        counter += 1
 
    return 0
 
 
 
flag_0_2 = "016"
flag_7_ = "381654729"
flag_3_6 = "KCTF"
 
# items = ['1', '2', '3', '4', '5', '6', '7', '8', '9']
# for p in permutations(items):
#     flag_7_ = "".join(p)
#     print(flag_7_)
#     flag_0 = flag_0_2+flag_3_6+flag_7_
#     if(run(flag_0)==0):
#         print("!!!!!!!!!!!!!!! FIND !!!!!!!!!!1")
#         exit(-1)
 
 
items = list(string.digits+string.ascii_uppercase)
for p in permutations(items, 3):
    flag_0_2 = "".join(p)
    print(flag_0_2)
    flag_0 = flag_0_2+flag_3_6+flag_7_
    if(run(flag_0)==0):
        print("!!!!!!!!!!!!!!! FIND !!!!!!!!!!1")
        exit(-1)
 
 
flag_0 = flag_0_2+flag_3_6+flag_7_
flag_0 = "016KCTF381654729"
run(flag_0)
import struct
import logging
import binascii
from itertools import permutations
import string
 
gkey_tmp = [0x00,0x00,0x00,0x00,0x96,0x30,0x07,0x09,0x2C,0x61,0x0E,0x12,0xBA,0x51,0x09,0x1B,0x19,0xC4,0x6D,0xFF,0x8F,0xF4,0x6A,0xF6,0x35,0xA5,0x63,0xED,0xA3,0x95,0x64,0xE4,0x32,0x88,0xDB,0xFE,0xA4,0xB8,0xDC,0xF7,0x1E,0xE9,0xD5,0xEC,0x88,0xD9,0xD2,0xE5,0x2B,0x4C,0xB6,0x01,0xBD,0x7C,0xB1,0x08,0x07,0x2D,0xB8,0x13,0x91,0x1D,0xBF,0x1A,0x64,0x10,0xB7,0xFD,0xF2,0x20,0xB0,0xF4,0x48,0x71,0xB9,0xEF,0xDE,0x41,0xBE,0xE6,0x7D,0xD4,0xDA,0x02,0xEB,0xE4,0xDD,0x0B,0x51,0xB5,0xD4,0x10,0xC7,0x85,0xD3,0x19,0x56,0x98,0x6C,0x03,0xC0,0xA8,0x6B,0x0A,0x7A,0xF9,0x62,0x11,0xEC,0xC9,0x65,0x18,0x4F,0x5C,0x01,0xFC,0xD9,0x6C,0x06,0xF5,0x63,0x3D,0x0F,0xEE,0xF5,0x0D,0x08,0xE7,0xC8,0x20,0x6E,0xFB,0x5E,0x10,0x69,0xF2,0xE4,0x41,0x60,0xE9,0x72,0x71,0x67,0xE0,0xD1,0xE4,0x03,0x04,0x47,0xD4,0x04,0x0D,0xFD,0x85,0x0D,0x16,0x6B,0xB5,0x0A,0x1F,0xFA,0xA8,0xB5,0x05,0x6C,0x98,0xB2,0x0C,0xD6,0xC9,0xBB,0x17,0x40,0xF9,0xBC,0x1E,0xE3,0x6C,0xD8,0xFA,0x75,0x5C,0xDF,0xF3,0xCF,0x0D,0xD6,0xE8,0x59,0x3D,0xD1,0xE1,0xAC,0x30,0xD9,0x06,0x3A,0x00,0xDE,0x0F,0x80,0x51,0xD7,0x14,0x16,0x61,0xD0,0x1D,0xB5,0xF4,0xB4,0xF9,0x23,0xC4,0xB3,0xF0,0x99,0x95,0xBA,0xEB,0x0F,0xA5,0xBD,0xE2,0x9E,0xB8,0x02,0xF8,0x08,0x88,0x05,0xF1,0xB2,0xD9,0x0C,0xEA,0x24,0xE9,0x0B,0xE3,0x87,0x7C,0x6F,0x07,0x11,0x4C,0x68,0x0E,0xAB,0x1D,0x61,0x15,0x3D,0x2D,0x66,0x1C,0x90,0x41,0xDC,0xF6,0x06,0x71,0xDB,0xFF,0xBC,0x20,0xD2,0xE4,0x2A,0x10,0xD5,0xED,0x89,0x85,0xB1,0x09,0x1F,0xB5,0xB6,0x00,0xA5,0xE4,0xBF,0x1B,0x33,0xD4,0xB8,0x12,0xA2,0xC9,0x07,0x08,0x34,0xF9,0x00,0x01,0x8E,0xA8,0x09,0x1A,0x18,0x98,0x0E,0x13,0xBB,0x0D,0x6A,0xF7,0x2D,0x3D,0x6D,0xFE,0x97,0x6C,0x64,0xE5,0x01,0x5C,0x63,0xEC,0xF4,0x51,0x6B,0x0B,0x62,0x61,0x6C,0x02,0xD8,0x30,0x65,0x19,0x4E,0x00,0x62,0x10,0xED,0x95,0x06,0xF4,0x7B,0xA5,0x01,0xFD,0xC1,0xF4,0x08,0xE6,0x57,0xC4,0x0F,0xEF,0xC6,0xD9,0xB0,0xF5,0x50,0xE9,0xB7,0xFC,0xEA,0xB8,0xBE,0xE7,0x7C,0x88,0xB9,0xEE,0xDF,0x1D,0xDD,0x0A,0x49,0x2D,0xDA,0x03,0xF3,0x7C,0xD3,0x18,0x65,0x4C,0xD4,0x11,0x58,0x61,0xB2,0x0D,0xCE,0x51,0xB5,0x04,0x74,0x00,0xBC,0x1F,0xE2,0x30,0xBB,0x16,0x41,0xA5,0xDF,0xF2,0xD7,0x95,0xD8,0xFB,0x6D,0xC4,0xD1,0xE0,0xFB,0xF4,0xD6,0xE9,0x6A,0xE9,0x69,0xF3,0xFC,0xD9,0x6E,0xFA,0x46,0x88,0x67,0xE1,0xD0,0xB8,0x60,0xE8,0x73,0x2D,0x04,0x0C,0xE5,0x1D,0x03,0x05,0x5F,0x4C,0x0A,0x1E,0xC9,0x7C,0x0D,0x17,0x3C,0x71,0x05,0xF0,0xAA,0x41,0x02,0xF9,0x10,0x10,0x0B,0xE2,0x86,0x20,0x0C,0xEB,0x25,0xB5,0x68,0x0F,0xB3,0x85,0x6F,0x06,0x09,0xD4,0x66,0x1D,0x9F,0xE4,0x61,0x14,0x0E,0xF9,0xDE,0x0E,0x98,0xC9,0xD9,0x07,0x22,0x98,0xD0,0x1C,0xB4,0xA8,0xD7,0x15,0x17,0x3D,0xB3,0xF1,0x81,0x0D,0xB4,0xF8,0x3B,0x5C,0xBD,0xE3,0xAD,0x6C,0xBA,0xEA,0x20,0x83,0xB8,0xED,0xB6,0xB3,0xBF,0xE4,0x0C,0xE2,0xB6,0xFF,0x9A,0xD2,0xB1,0xF6,0x39,0x47,0xD5,0x12,0xAF,0x77,0xD2,0x1B,0x15,0x26,0xDB,0x00,0x83,0x16,0xDC,0x09,0x12,0x0B,0x63,0x13,0x84,0x3B,0x64,0x1A,0x3E,0x6A,0x6D,0x01,0xA8,0x5A,0x6A,0x08,0x0B,0xCF,0x0E,0xEC,0x9D,0xFF,0x09,0xE5,0x27,0xAE,0x00,0xFE,0xB1,0x9E,0x07,0xF7,0x44,0x93,0x0F,0x10,0xD2,0xA3,0x08,0x19,0x68,0xF2,0x01,0x02,0xFE,0xC2,0x06,0x0B,0x5D,0x57,0x62,0xEF,0xCB,0x67,0x65,0xE6,0x71,0x36,0x6C,0xFD,0xE7,0x06,0x6B,0xF4,0x76,0x1B,0xD4,0xEE,0xE0,0x2B,0xD3,0xE7,0x5A,0x7A,0xDA,0xFC,0xCC,0x4A,0xDD,0xF5,0x6F,0xDF,0xB9,0x11,0xF9,0xEF,0xBE,0x18,0x43,0xBE,0xB7,0x03,0xD5,0x8E,0xB0,0x0A,0xE8,0xA3,0xD6,0x16,0x7E,0x93,0xD1,0x1F,0xC4,0xC2,0xD8,0x04,0x52,0xF2,0xDF,0x0D,0xF1,0x67,0xBB,0xE9,0x67,0x57,0xBC,0xE0,0xDD,0x06,0xB5,0xFB,0x4B,0x36,0xB2,0xF2,0xDA,0x2B,0x0D,0xE8,0x4C,0x1B,0x0A,0xE1,0xF6,0x4A,0x03,0xFA,0x60,0x7A,0x04,0xF3,0xC3,0xEF,0x60,0x17,0x55,0xDF,0x67,0x1E,0xEF,0x8E,0x6E,0x05,0x79,0xBE,0x69,0x0C,0x8C,0xB3,0x61,0xEB,0x1A,0x83,0x66,0xE2,0xA0,0xD2,0x6F,0xF9,0x36,0xE2,0x68,0xF0,0x95,0x77,0x0C,0x14,0x03,0x47,0x0B,0x1D,0xB9,0x16,0x02,0x06,0x2F,0x26,0x05,0x0F,0xBE,0x3B,0xBA,0x15,0x28,0x0B,0xBD,0x1C,0x92,0x5A,0xB4,0x07,0x04,0x6A,0xB3,0x0E,0xA7,0xFF,0xD7,0xEA,0x31,0xCF,0xD0,0xE3,0x8B,0x9E,0xD9,0xF8,0x1D,0xAE,0xDE,0xF1,0xB0,0xC2,0x64,0x1B,0x26,0xF2,0x63,0x12,0x9C,0xA3,0x6A,0x09,0x0A,0x93,0x6D,0x00,0xA9,0x06,0x09,0xE4,0x3F,0x36,0x0E,0xED,0x85,0x67,0x07,0xF6,0x13,0x57,0x00,0xFF,0x82,0x4A,0xBF,0xE5,0x14,0x7A,0xB8,0xEC,0xAE,0x2B,0xB1,0xF7,0x38,0x1B,0xB6,0xFE,0x9B,0x8E,0xD2,0x1A,0x0D,0xBE,0xD5,0x13,0xB7,0xEF,0xDC,0x08,0x21,0xDF,0xDB,0x01,0xD4,0xD2,0xD3,0xE6,0x42,0xE2,0xD4,0xEF,0xF8,0xB3,0xDD,0xF4,0x6E,0x83,0xDA,0xFD,0xCD,0x16,0xBE,0x19,0x5B,0x26,0xB9,0x10,0xE1,0x77,0xB0,0x0B,0x77,0x47,0xB7,0x02,0xE6,0x5A,0x08,0x18,0x70,0x6A,0x0F,0x11,0xCA,0x3B,0x06,0x0A,0x5C,0x0B,0x01,0x03,0xFF,0x9E,0x65,0xE7,0x69,0xAE,0x62,0xEE,0xD3,0xFF,0x6B,0xF5,0x45,0xCF,0x6C,0xFC,0x78,0xE2,0x0A,0xE0,0xEE,0xD2,0x0D,0xE9,0x54,0x83,0x04,0xF2,0xC2,0xB3,0x03,0xFB,0x61,0x26,0x67,0x1F,0xF7,0x16,0x60,0x16,0x4D,0x47,0x69,0x0D,0xDB,0x77,0x6E,0x04,0x4A,0x6A,0xD1,0x1E,0xDC,0x5A,0xD6,0x17,0x66,0x0B,0xDF,0x0C,0xF0,0x3B,0xD8,0x05,0x53,0xAE,0xBC,0xE1,0xC5,0x9E,0xBB,0xE8,0x7F,0xCF,0xB2,0xF3,0xE9,0xFF,0xB5,0xFA,0x1C,0xF2,0xBD,0x1D,0x8A,0xC2,0xBA,0x14,0x30,0x93,0xB3,0x0F,0xA6,0xA3,0xB4,0x06,0x05,0x36,0xD0,0xE2,0x93,0x06,0xD7,0xEB,0x29,0x57,0xDE,0xF0,0xBF,0x67,0xD9,0xF9,0x2E,0x7A,0x66,0xE3,0xB8,0x4A,0x61,0xEA,0x02,0x1B,0x68,0xF1,0x94,0x2B,0x6F,0xF8,0x37,0xBE,0x0B,0x1C,0xA1,0x8E,0x0C,0x15,0x1B,0xDF,0x05,0x0E,0x8D,0xEF,0x02,0x07]
 
# transform gkey
gkey_1 = []
for i in range(len(gkey_tmp)//4):
    b = gkey_tmp[i*4].to_bytes(1, 'little') +\
        gkey_tmp[i*4+1].to_bytes(1, 'little') +\
        gkey_tmp[i*4+2].to_bytes(1, 'little') +\
        gkey_tmp[i*4+3].to_bytes(1, 'little')
    num = struct.unpack("<I", b)[0]
    gkey_1.append(num)
 
assert len(gkey_1) == 256
 
# input should not be manipulated
 
 
def get_flag_0_7(f):
    tmp_v11 = -1;
    tmp_v11&=0xffffffff
 
    for i in range(len(f)):
 
        tmp_shift = tmp_v11
        for j in range(8):
            c = tmp_shift&0x80000000
            tmp_shift>>=1
            tmp_shift|=c
 
        # print("f[i]: {}".format(hex(ord(f[i]))))
        # print("key: {:x}".format(gkey_1[((tmp_v11&0xff) ^ ord(f[i])) & 0xff]))
        # print("sar: {}".format(hex(tmp_shift)))
        # print(hex(tmp_v11))
        # print("-----------------")
 
        tmp_v11 = gkey_1[((tmp_v11&0xff) ^ ord(f[i])) & 0xff] ^ (tmp_shift)
        tmp_v11&=0xffffffff
        #print(hex(tmp_v11))
 
 
    flag_0_7 = (~tmp_v11)&0xffffffff
    print("[-] get flag_0_7: 0x{:08X}".format(flag_0_7))
    if(not flag_0_7 == 0xF52E0765):
        print("[@] flag_0_7 should be 0xF52E0765!!!")
    return flag_0_7
 
# manipulate
 
 
def manipulate_flag(f):
    f_ = []
    for i in range(len(f)):
        c = 0x30
        if ord(f[i]) >= 0x3A:
            c = 0x37
        f_.append(ord(f[i])-c)
    return f_
 
 
def cal_whole_hash(f, l):
    v5 = 0
    v7 = 0
    l_count_1 = l
 
    while(l_count_1!=0):
        v5 ^= ord(f[v7])
        #print("v5:",hex(v5))
 
        l_count_1-=1
        v7+=1
        l_count_2 = 8
        while ( l_count_2 ):
            v9 = (2 * v5)&0xff
            #print("v9:",hex(v9))
 
            v10 = v9^7
            if ( v9 == 0 or v9<=0x7f ):
                v10 = v9
            v5 = v10&0xff
            #print("v10:",hex(v10))
            #print("v5(end):",hex(v10))
 
 
            l_count_2-=1
 
    hash_whole_arg = v10&0xff
    #print(hex(v10))
    if hash_whole_arg>0x7f:
        hash_whole_arg|=0xffffff00
 
    print("[-] hash whole flag: 0x{:02X}".format(hash_whole_arg))
    return hash_whole_arg
 
def cal_hash_3(flag, h_0):
    h = h_0
    v33 = [0,]
    for i in range(1,200):
        if (h&1)!=0:
            h = 3*h+1
            h &= 0xffffffff
        else:

[招生]系统0day安全班,企业级设备固件漏洞挖掘,Linux平台漏洞挖掘!

收藏
免费 2
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//