[原创] 07wp-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

[原创] 07wp

发表于: 2024-8-28 22:08 515

[原创] 07wp

mb_czamoutp 活跃值

2024-8-28 22:08

515

# swap_code 就是401020开头的697个字节，如果加了软件断点就会不同
# 要求挖空部分 预处理 + swap bit 之后和KCTF...相等
# 剩下部分预处理之后和原来的main_code相等
# 最后一位是异或和，一定等于ret(c3)
const_xor_key = [121, 84, 0, 56, 68, 247, 12, 73, 235, 148, 10, 165, 203, 16, 33, 110, 47, 25, 18, 24, 65, 179, 174, 19,
                 130, 0, 239, 9, 121, 251, 5, 107, 45, 153, 74, 43, 50, 52, 205, 77, 86, 237, 140, 233, 234, 50, 28, 82,
                 62, 15, 216, 206, 62, 151, 183, 163, 99, 115, 216, 0, 211, 207, 197, 135, 65, 182, 119]
swap_code = bytes.fromhex('83ec4ca10030400033c48944244853555657bb18344000')
main_code = bytes.fromhex('6810214000FF15DC3F40006800384000FF15D83F40006820214000FF15DC3F400068'
                          '18344000FF15D83F400068D03F4000FF15D43F400083C414FF15A020400033C0C3')
 
 
def xor_sum(_s):
    res = 0
    for c in _s:
        res ^= c
    return res
 
 
def swap_bits(_b, _x, rev=False):
    _x &= 7
    if rev:
        hi = _b >> _x
        lo = _b << (8 - _x)
    else:
        lo = _b >> (8 - _x)
        hi = _b << _x
    hi &= 0xff
    lo &= 0xff
    return hi | lo
 
 
user = b'KCTF'  # KCTF
u_index = (xor_sum(user) & 0xf) * 2
 
 
goal = list(main_code[:u_index] + b'KCTF-2024-CRACK-SUCCESS' + main_code[u_index + 23:])
for i in range(u_index, u_index + 23):
    goal[i] = swap_bits(goal[i], swap_code[i - u_index], True)
 
for i in range(67):
    goal[i] ^= 0xc3 ^ const_xor_key[i]
 
goal[66] = xor_sum(goal[:66]) ^ 203 ^ 0xc3
print("Serial:", bytes(goal).hex())
 
 
# key = list(bytes.fromhex(bytes(goal).hex()))
# 
# k_xor_sum = xor_sum(key) ^ 203
# 
# for i in range(67):
#     key[i] ^= k_xor_sum ^ const_xor_key[i]
# 
# 
# for i in range(u_index, u_index + 23):
#     key[i] = swap_bits(key[i], swap_code[i - u_index])
# 
# print(bytes(key))