KCTF 2024 第七题 WriteUp

比较简单，睡了个午觉起来发现一二三四五血都出来了，心拔凉拔凉的 >_<

没有混淆，没有反调试，IDA打开，伪代码的逻辑很清晰

将序列号与一块0x2B9大小的代码段进行循环异或，得到buffer
把buffer每个字节叠加异或的值存在末尾，其余字节再与末尾字节异或
把用户名每个字节叠加异或的值取模0xF再乘2，得到一个分割点sp
把buffer分为[:sp]、[sp:sp+0x17:]、[sp+0x17:]三部分
第一部分和第三部分拿去与两块代码段进行比较是否相同
第二部分每个字节进行循环左移，循环左移位数为一块代码段对应偏移的字节取模8
将第二部分与"KCTF-2024-CRACK-SUCCESS"进行比较是否相同

import binascii
 
shifter = binascii.a2b_hex("83EC4CA10030400033C48944244853555657BB18344000")
 
 
def circular_right_shift(value, shift, bit_length=8):
    value = value & ((1 << bit_length) - 1)
    shift %= bit_length
    right_shifted = value >> shift
    wrapped_around = (value << (bit_length - shift)) & ((1 << bit_length) - 1)
    return right_shifted | wrapped_around
 
 
compare = [
    circular_right_shift(j, shifter[i] & 7)
    for i, j in enumerate(b"KCTF-2024-CRACK-SUCCESS")
]
buffer = bytearray(
    binascii.a2b_hex("6810214000FF15DC3F40006800384000FF15D83F")
    + bytes(compare)
    + binascii.a2b_hex("0068D03F4000FF15D43F400083C414FF15A020400033C0C3")
)
 
for i in range(66):
    buffer[i] ^= buffer[66]
 
for i in range(66):
    buffer[66] ^= buffer[i]
 
func = binascii.a2b_hex(
    "83EC4CA10030400033C48944244853555657BB18344000E8C4FEFFFF8BF0B9100000008D7C2414F3A566A550A4FF15B02040008B7C24648B770483C40433C990B86B4CA407F7E1D1EA6BD2438BC12BC28A1431305404148D4404144181F9B90200007CDC8A4C2414B8010000008D49008A5404143254041583C00532540411325404133254041232CA83F8427CE28A54245632D1885424568D442414B94200000030104083E90175F88A0D0038400033C0BA0038400084C9741A8D9B000000000FB6C933C881E1FF000000428BC18A0A84C975EC8B3783E00F8D4444148D542414894424102BC285C07E688BE88BFE83F80472148B0F3B0A751283ED0483C20483C70483FD0473EC85ED74470FB60F0FB61A2BCB753183FD0176380FB64F010FB65A012BCB752083FD0276270FB64F020FB65A022BCB750F83FD0376160FB64F030FB652032BCAC1F91F83C9010F85FF000000BF2C0000002BF885FF7E718D4C042B8D54301783FF047219EB038D49008B023B01751283EF0483C10483C20483FF0473EC85FF74470FB6020FB6312BC6753183FF0176380FB642010FB671012BC6752083FF0276270FB642020FB671022BC6750F83FF0376160FB642030FB649032BC1C1F81F83C8010F85830000008B7424108B542460B905000000BFE83B4000F3A566A5A48B7204BDE83B4000BF170000000FBE168A450083E207B1082ACA8AD8D2EB8BCAD2E046450AD883EF01885DFF75DF8D5717B8F8204000B9E83B40008B313B30752B83EA0483C00483C10483FA0473EC8A103A1175178A50013A5101750F8A40023A410275076830214000EB056840214000FF15A42040008B4C245C83C4045F5E5D5B33CCE80400000083C44CC33B0D003040007502F3C3E9AC020000688C184000E8A3040000A1B8524000C70424844F4000FF35B4524000A3844F400068744F400068784F400068704F4000FF159820400083"
)
 
for i in range(697):
    buffer[i % 67] ^= func[i]
 
print(binascii.b2a_hex(buffer).decode())