首页
社区
课程
招聘
问答 CTF 排行榜 知识库 工具下载 看雪峰会 看雪商城 证书查询
  1. 社区
  2. CTF对抗
    3. 发新帖
[原创]KCTF 2024 第七题 WriteUp
发表于: 2024-8-28 17:55 419

[原创]KCTF 2024 第七题 WriteUp

古月浪子 活跃值
2024-8-28 17:55
419

KCTF 2024 第七题 WriteUp

比较简单,睡了个午觉起来发现一二三四五血都出来了,心拔凉拔凉的 >_<

没有混淆,没有反调试,IDA打开,伪代码的逻辑很清晰

  1. 将序列号与一块0x2B9大小的代码段进行循环异或,得到buffer
  2. 把buffer每个字节叠加异或的值存在末尾,其余字节再与末尾字节异或
  3. 把用户名每个字节叠加异或的值取模0xF再乘2,得到一个分割点sp
  4. 把buffer分为[:sp]、[sp:sp+0x17:]、[sp+0x17:]三部分
  5. 第一部分和第三部分拿去与两块代码段进行比较是否相同
  6. 第二部分每个字节进行循环左移,循环左移位数为一块代码段对应偏移的字节取模8
  7. 将第二部分与"KCTF-2024-CRACK-SUCCESS"进行比较是否相同
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
import binascii
 
shifter = binascii.a2b_hex("83EC4CA10030400033C48944244853555657BB18344000")
 
 
def circular_right_shift(value, shift, bit_length=8):
    value = value & ((1 << bit_length) - 1)
    shift %= bit_length
    right_shifted = value >> shift
    wrapped_around = (value << (bit_length - shift)) & ((1 << bit_length) - 1)
    return right_shifted | wrapped_around
 
 
compare = [
    circular_right_shift(j, shifter[i] & 7)
    for i, j in enumerate(b"KCTF-2024-CRACK-SUCCESS")
]
buffer = bytearray(
    binascii.a2b_hex("6810214000FF15DC3F40006800384000FF15D83F")
    + bytes(compare)
    + binascii.a2b_hex("0068D03F4000FF15D43F400083C414FF15A020400033C0C3")
)
 
for i in range(66):
    buffer[i] ^= buffer[66]
 
for i in range(66):
    buffer[66] ^= buffer[i]
 
func = binascii.a2b_hex(
    "83EC4CA10030400033C48944244853555657BB18344000E8C4FEFFFF8BF0B9100000008D7C2414F3A566A550A4FF15B02040008B7C24648B770483C40433C990B86B4CA407F7E1D1EA6BD2438BC12BC28A1431305404148D4404144181F9B90200007CDC8A4C2414B8010000008D49008A5404143254041583C00532540411325404133254041232CA83F8427CE28A54245632D1885424568D442414B94200000030104083E90175F88A0D0038400033C0BA0038400084C9741A8D9B000000000FB6C933C881E1FF000000428BC18A0A84C975EC8B3783E00F8D4444148D542414894424102BC285C07E688BE88BFE83F80472148B0F3B0A751283ED0483C20483C70483FD0473EC85ED74470FB60F0FB61A2BCB753183FD0176380FB64F010FB65A012BCB752083FD0276270FB64F020FB65A022BCB750F83FD0376160FB64F030FB652032BCAC1F91F83C9010F85FF000000BF2C0000002BF885FF7E718D4C042B8D54301783FF047219EB038D49008B023B01751283EF0483C10483C20483FF0473EC85FF74470FB6020FB6312BC6753183FF0176380FB642010FB671012BC6752083FF0276270FB642020FB671022BC6750F83FF0376160FB642030FB649032BC1C1F81F83C8010F85830000008B7424108B542460B905000000BFE83B4000F3A566A5A48B7204BDE83B4000BF170000000FBE168A450083E207B1082ACA8AD8D2EB8BCAD2E046450AD883EF01885DFF75DF8D5717B8F8204000B9E83B40008B313B30752B83EA0483C00483C10483FA0473EC8A103A1175178A50013A5101750F8A40023A410275076830214000EB056840214000FF15A42040008B4C245C83C4045F5E5D5B33CCE80400000083C44CC33B0D003040007502F3C3E9AC020000688C184000E8A3040000A1B8524000C70424844F4000FF35B4524000A3844F400068744F400068784F400068704F4000FF159820400083"
)
 
for i in range(697):
    buffer[i % 67] ^= func[i]
 
print(binascii.b2a_hex(buffer).decode())
1
d287e2bb87cbda561717c90e08eba2ad13cf09e4eb4428f36cf11cf83cea678dfa19e081bc5d66cdc17d1c2a4121e0d1fd330ed9c21474e364a4e4d6b02c4644b1b5cc
收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
回帖 表情 雪币赚取及消费
高级回复
返回
//