-
-
[原创]KCTF 2024 第七题 WriteUp
-
发表于: 2024-8-28 17:55 533
-
KCTF 2024 第七题 WriteUp
比较简单,睡了个午觉起来发现一二三四五血都出来了,心拔凉拔凉的 >_<
没有混淆,没有反调试,IDA打开,伪代码的逻辑很清晰
- 将序列号与一块0x2B9大小的代码段进行循环异或,得到buffer
- 把buffer每个字节叠加异或的值存在末尾,其余字节再与末尾字节异或
- 把用户名每个字节叠加异或的值取模0xF再乘2,得到一个分割点sp
- 把buffer分为[:sp]、[sp:sp+0x17:]、[sp+0x17:]三部分
- 第一部分和第三部分拿去与两块代码段进行比较是否相同
- 第二部分每个字节进行循环左移,循环左移位数为一块代码段对应偏移的字节取模8
- 将第二部分与"KCTF-2024-CRACK-SUCCESS"进行比较是否相同
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 | import binascii shifter = binascii.a2b_hex( "83EC4CA10030400033C48944244853555657BB18344000" ) def circular_right_shift(value, shift, bit_length = 8 ): value = value & (( 1 << bit_length) - 1 ) shift % = bit_length right_shifted = value >> shift wrapped_around = (value << (bit_length - shift)) & (( 1 << bit_length) - 1 ) return right_shifted | wrapped_around compare = [ circular_right_shift(j, shifter[i] & 7 ) for i, j in enumerate (b "KCTF-2024-CRACK-SUCCESS" ) ] buffer = bytearray( binascii.a2b_hex( "6810214000FF15DC3F40006800384000FF15D83F" ) + bytes(compare) + binascii.a2b_hex( "0068D03F4000FF15D43F400083C414FF15A020400033C0C3" ) ) for i in range ( 66 ): buffer [i] ^ = buffer [ 66 ] for i in range ( 66 ): buffer [ 66 ] ^ = buffer [i] func = binascii.a2b_hex( "83EC4CA10030400033C48944244853555657BB18344000E8C4FEFFFF8BF0B9100000008D7C2414F3A566A550A4FF15B02040008B7C24648B770483C40433C990B86B4CA407F7E1D1EA6BD2438BC12BC28A1431305404148D4404144181F9B90200007CDC8A4C2414B8010000008D49008A5404143254041583C00532540411325404133254041232CA83F8427CE28A54245632D1885424568D442414B94200000030104083E90175F88A0D0038400033C0BA0038400084C9741A8D9B000000000FB6C933C881E1FF000000428BC18A0A84C975EC8B3783E00F8D4444148D542414894424102BC285C07E688BE88BFE83F80472148B0F3B0A751283ED0483C20483C70483FD0473EC85ED74470FB60F0FB61A2BCB753183FD0176380FB64F010FB65A012BCB752083FD0276270FB64F020FB65A022BCB750F83FD0376160FB64F030FB652032BCAC1F91F83C9010F85FF000000BF2C0000002BF885FF7E718D4C042B8D54301783FF047219EB038D49008B023B01751283EF0483C10483C20483FF0473EC85FF74470FB6020FB6312BC6753183FF0176380FB642010FB671012BC6752083FF0276270FB642020FB671022BC6750F83FF0376160FB642030FB649032BC1C1F81F83C8010F85830000008B7424108B542460B905000000BFE83B4000F3A566A5A48B7204BDE83B4000BF170000000FBE168A450083E207B1082ACA8AD8D2EB8BCAD2E046450AD883EF01885DFF75DF8D5717B8F8204000B9E83B40008B313B30752B83EA0483C00483C10483FA0473EC8A103A1175178A50013A5101750F8A40023A410275076830214000EB056840214000FF15A42040008B4C245C83C4045F5E5D5B33CCE80400000083C44CC33B0D003040007502F3C3E9AC020000688C184000E8A3040000A1B8524000C70424844F4000FF35B4524000A3844F400068744F400068784F400068704F4000FF159820400083" ) for i in range ( 697 ): buffer [i % 67 ] ^ = func[i] print (binascii.b2a_hex( buffer ).decode()) |
1 | d287e2bb87cbda561717c90e08eba2ad13cf09e4eb4428f36cf11cf83cea678dfa19e081bc5d66cdc17d1c2a4121e0d1fd330ed9c21474e364a4e4d6b02c4644b1b5cc |
[招生]科锐逆向工程师培训(2024年11月15日实地,远程教学同时开班, 第51期)
赞赏
他的文章
看原图
赞赏
雪币:
留言: