战队名称:中午吃什么
参赛题目:CrackMe(Windows)
题目答案:14725KCTF83690
使用方案一(老规则)
需要穷举爆破随机数种子(0-99999,穷举时间一分钟以内)
运行流程:
输入序列号
输出success或error
详细的题目设计说明:
判断输入文本长度是否为14
将输入文本拆分为3份(5字节、4字节、5字节)
将2个5字节转为int,作为随机数种子调用srand
调用rand生成20个int数据
rand生成的数据和全局数组相等且4字节文本为KCTF则成功
破解思路:
爆破2个5位数随机数种子(0-99999)
种子1+KCTF+种子2即为正确FALG
unsigned int arrSeed_14725[] = {
15356,
8563 ,
9659 ,
14347,
11283,
30142,
29542,
18083,
5057 ,
5531 ,
23391,
21327,
20023,
14852,
4865 ,
23820,
16725,
18665,
25042,
24920 };
unsigned int arrSeed_83690[] = {
11190,
27482,
980 ,
5419 ,
28164,
9548 ,
16558,
22218,
6113 ,
21959,
13889,
11580,
2625 ,
19397,
25139,
8167 ,
28165,
3950 ,
25496,
27351 };
int my_strlen(const char* StrDest)
{
return ('\0' != *StrDest) ? (1 + my_strlen(StrDest + 1)) : 0;
}
//爆破代码
int main()
{
int i, j;
int isSuccess = 0;
for (i = 0; i < 99999; i++)
{
isSuccess = 1;
//printf("0x%08x\n", i);
srand(i);
for (j = 0; j < 20; j++)
{
if (rand() != arrSeed_14725[j])
{
isSuccess = 0;
break;
}
}
if (isSuccess != 0)
{
printf("种子1:[%d]\n", i);
//break;
}
}
isSuccess = 0;
for (i = 0; i < 99999; i++)
{
isSuccess = 1;
//printf("0x%08x\n", i);
srand(i);
for (j = 0; j < 20; j++)
{
if (rand() != arrSeed_83690[j])
{
isSuccess = 0;
break;
}
}
if (isSuccess != 0)
{
printf("种子2:[%d]\n", i);
//break;
}
}
system("pause");
return 0;
}
//题目程序
int main()
{
int i = 0;
char szBuffer[128] = { 0 };
char szSeed1[6];
unsigned int dwSeed1;
char szKCTF[5];
char szSeed2[6];
unsigned int dwSeed2;
int isSuccess1;
int isSuccess2;
int isSuccess3;
//0-99999
//14725KCTF83690
printf("please input :\n");
scanf_s("%s", szBuffer, sizeof(szBuffer) - 1);
if (my_strlen(szBuffer) != 14)
{
printf("error\n");
system("pause");
return 0;
}
szSeed1[5] = '\0';
for (i = 0; i < 5; i++)
{
szSeed1[i] = szBuffer[i + 0];
}
dwSeed1 = atoi(szSeed1);
szKCTF[4] = '\0';
for (i = 0; i < 4; i++)
{
szKCTF[i] = szBuffer[i + 5];
}
szSeed2[5] = '\0';
for (i = 0; i < 5; i++)
{
szSeed2[i] = szBuffer[i + 5 + 4];
}
dwSeed2 = atoi(szSeed2);
//printf("%d\n", dwSeed1); //14725
//printf("%s\n", szKCTF); //KCTF
//printf("%d\n", dwSeed2); //83690
isSuccess1 = 1;
isSuccess2 = 1;
isSuccess3 = 0;
srand(dwSeed1);
for (i = 0; i < 20; i++)
{
if (rand() != arrSeed_14725[i])
{
isSuccess1 = 0;
break;
}
}
srand(dwSeed2);
for (i = 0; i < 20; i++)
{
if (rand() != arrSeed_83690[i])
{
isSuccess1 = 0;
break;
}
}
if (szKCTF[0] == 'K' &&
szKCTF[1] == 'C' &&
szKCTF[2] == 'T' &&
szKCTF[3] == 'F')
{
isSuccess3 = 1;
}
if (isSuccess1 != 0 && isSuccess2 != 0 && isSuccess3 != 0)
{
printf("success : %s\n", szBuffer);
system("pause");
return 0;
}
printf("error\n");
system("pause");
return 0;
}
unsigned int arrSeed_14725[] = {
15356,
8563 ,
9659 ,
14347,
11283,
30142,
29542,
18083,
5057 ,
5531 ,
23391,
21327,
20023,
14852,
4865 ,
23820,
16725,
18665,
25042,
24920 };
unsigned int arrSeed_83690[] = {
11190,
27482,
980 ,
5419 ,
28164,
9548 ,
16558,
22218,
6113 ,
21959,
13889,
11580,
2625 ,
19397,
25139,
8167 ,
28165,
3950 ,
25496,
27351 };
int my_strlen(const char* StrDest)
{
return ('\0' != *StrDest) ? (1 + my_strlen(StrDest + 1)) : 0;
}
//爆破代码
int main()
{
int i, j;
int isSuccess = 0;
for (i = 0; i < 99999; i++)
{
isSuccess = 1;
//printf("0x%08x\n", i);
srand(i);
for (j = 0; j < 20; j++)
{
if (rand() != arrSeed_14725[j])
{
isSuccess = 0;
break;
}
}
if (isSuccess != 0)
{
printf("种子1:[%d]\n", i);
//break;
}
}
isSuccess = 0;
for (i = 0; i < 99999; i++)
{
isSuccess = 1;
//printf("0x%08x\n", i);
srand(i);
for (j = 0; j < 20; j++)
{
if (rand() != arrSeed_83690[j])
{
isSuccess = 0;
break;
}
}
if (isSuccess != 0)
[培训]传播安全知识、拓宽行业人脉——看雪讲师团队等你加入!
最后于 2022-11-29 13:26
被kanxue编辑
,原因:
