-
-
[原创]KCTF2022秋季赛题目提交
-
发表于: 2022-10-17 15:57 3852
-
战队名称:中午吃什么
参赛题目:CrackMe(Windows)
题目答案:14725KCTF83690
使用方案一(老规则)
需要穷举爆破随机数种子(0-99999,穷举时间一分钟以内)
运行流程:
输入序列号
输出success或error
详细的题目设计说明:
判断输入文本长度是否为14
将输入文本拆分为3份(5字节、4字节、5字节)
将2个5字节转为int,作为随机数种子调用srand
调用rand生成20个int数据
rand生成的数据和全局数组相等且4字节文本为KCTF则成功
破解思路:
爆破2个5位数随机数种子(0-99999)
种子1+KCTF+种子2即为正确FALG
#include <stdio.h>
#include <stdlib.h>
unsigned
int
arrSeed_14725[]
=
{
15356
,
8563
,
9659
,
14347
,
11283
,
30142
,
29542
,
18083
,
5057
,
5531
,
23391
,
21327
,
20023
,
14852
,
4865
,
23820
,
16725
,
18665
,
25042
,
24920
};
unsigned
int
arrSeed_83690[]
=
{
11190
,
27482
,
980
,
5419
,
28164
,
9548
,
16558
,
22218
,
6113
,
21959
,
13889
,
11580
,
2625
,
19397
,
25139
,
8167
,
28165
,
3950
,
25496
,
27351
};
int
my_strlen(const char
*
StrDest)
{
return
(
'\0'
!
=
*
StrDest) ? (
1
+
my_strlen(StrDest
+
1
)) :
0
;
}
#if 0
/
/
爆破代码
int
main()
{
int
i, j;
int
isSuccess
=
0
;
for
(i
=
0
; i <
99999
; i
+
+
)
{
isSuccess
=
1
;
/
/
printf(
"0x%08x\n"
, i);
srand(i);
for
(j
=
0
; j <
20
; j
+
+
)
{
if
(rand() !
=
arrSeed_14725[j])
{
isSuccess
=
0
;
break
;
}
}
if
(isSuccess !
=
0
)
{
printf(
"种子1:[%d]\n"
, i);
/
/
break
;
}
}
isSuccess
=
0
;
for
(i
=
0
; i <
99999
; i
+
+
)
{
isSuccess
=
1
;
/
/
printf(
"0x%08x\n"
, i);
srand(i);
for
(j
=
0
; j <
20
; j
+
+
)
{
if
(rand() !
=
arrSeed_83690[j])
{
isSuccess
=
0
;
break
;
}
}
if
(isSuccess !
=
0
)
{
printf(
"种子2:[%d]\n"
, i);
/
/
break
;
}
}
system(
"pause"
);
return
0
;
}
#else
/
/
题目程序
int
main()
{
int
i
=
0
;
char szBuffer[
128
]
=
{
0
};
char szSeed1[
6
];
unsigned
int
dwSeed1;
char szKCTF[
5
];
char szSeed2[
6
];
unsigned
int
dwSeed2;
int
isSuccess1;
int
isSuccess2;
int
isSuccess3;
/
/
0
-
99999
/
/
14725KCTF83690
printf(
"please input :\n"
);
scanf_s(
"%s"
, szBuffer, sizeof(szBuffer)
-
1
);
if
(my_strlen(szBuffer) !
=
14
)
{
printf(
"error\n"
);
system(
"pause"
);
return
0
;
}
szSeed1[
5
]
=
'\0'
;
for
(i
=
0
; i <
5
; i
+
+
)
{
szSeed1[i]
=
szBuffer[i
+
0
];
}
dwSeed1
=
atoi(szSeed1);
szKCTF[
4
]
=
'\0'
;
for
(i
=
0
; i <
4
; i
+
+
)
{
szKCTF[i]
=
szBuffer[i
+
5
];
}
szSeed2[
5
]
=
'\0'
;
for
(i
=
0
; i <
5
; i
+
+
)
{
szSeed2[i]
=
szBuffer[i
+
5
+
4
];
}
dwSeed2
=
atoi(szSeed2);
/
/
printf(
"%d\n"
, dwSeed1);
/
/
14725
/
/
printf(
"%s\n"
, szKCTF);
/
/
KCTF
/
/
printf(
"%d\n"
, dwSeed2);
/
/
83690
isSuccess1
=
1
;
isSuccess2
=
1
;
isSuccess3
=
0
;
srand(dwSeed1);
for
(i
=
0
; i <
20
; i
+
+
)
{
if
(rand() !
=
arrSeed_14725[i])
{
isSuccess1
=
0
;
break
;
}
}
srand(dwSeed2);
for
(i
=
0
; i <
20
; i
+
+
)
{
if
(rand() !
=
arrSeed_83690[i])
{
isSuccess1
=
0
;
break
;
}
}
if
(szKCTF[
0
]
=
=
'K'
&&
szKCTF[
1
]
=
=
'C'
&&
szKCTF[
2
]
=
=
'T'
&&
szKCTF[
3
]
=
=
'F'
)
{
isSuccess3
=
1
;
}
if
(isSuccess1 !
=
0
&& isSuccess2 !
=
0
&& isSuccess3 !
=
0
)
{
printf(
"success : %s\n"
, szBuffer);
system(
"pause"
);
return
0
;
}
printf(
"error\n"
);
system(
"pause"
);
return
0
;
}
#endif
#include <stdio.h>
#include <stdlib.h>
unsigned
int
arrSeed_14725[]
=
{
15356
,
8563
,
9659
,
14347
,
11283
,
30142
,
29542
,
18083
,
5057
,
5531
,
23391
,
21327
,
20023
,
14852
,
4865
,
23820
,
16725
,
18665
,
25042
,
24920
};
unsigned
int
arrSeed_83690[]
=
{
11190
,
27482
,
980
,
5419
,
28164
,
9548
,
16558
,
22218
,
6113
,
21959
,
13889
,
11580
,
2625
,
19397
,
25139
,
8167
,
28165
,
3950
,
25496
,
27351
};
int
my_strlen(const char
*
StrDest)
{
return
(
'\0'
!
=
*
StrDest) ? (
1
+
my_strlen(StrDest
+
1
)) :
0
;
}
#if 0
/
/
爆破代码
int
main()
{
int
i, j;
int
isSuccess
=
0
;
for
(i
=
0
; i <
99999
; i
+
+
)
{
isSuccess
=
1
;
/
/
printf(
"0x%08x\n"
, i);
srand(i);
for
(j
=
0
; j <
20
; j
+
+
)
{
if
(rand() !
=
arrSeed_14725[j])
{
isSuccess
=
0
;
break
;
}
}
if
(isSuccess !
=
0
)
{
printf(
"种子1:[%d]\n"
, i);
/
/
break
;
}
}
isSuccess
=
0
;
for
(i
=
0
; i <
99999
; i
+
+
)
{
isSuccess
=
1
;
/
/
printf(
"0x%08x\n"
, i);
srand(i);
for
(j
=
0
; j <
20
; j
+
+
)
{
if
(rand() !
=
arrSeed_83690[j])
{
isSuccess
=
0
;
break
;
}
}
if
(isSuccess !
=
0
)
[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课
最后于 2022-11-29 13:26
被kanxue编辑
,原因:
赞赏
他的文章
看原图
赞赏
雪币:
留言: