-
-
第七题 星际移民_WP
-
发表于: 2024-8-29 11:18 631
-
该题的主要逻辑在0x401120开始处的函数,开始会将输入的序列号格式化成67字节,然后与该函数起始处0x2B9长度的字节进行循环异或
这里如果提前下断就会导致原本的字节变成0xCC从而影响运算的结果,在调试给出的序列号时,可以在0x401184处下断,然后将序列号0x21处的值改为0x90(原本是0xD6)从而避免断点影响结果,后面就可以正常下断了
接下来会将前66个字节互相异或,得到v4,再将v4与第67个字节进行异或,得到v7,同时更新第67个字节为v7
之后会通过对用户名进行各自异或算出一个长度,假设是x
之后会对序列号进行check,需要满足如下条件:
- 序列号前x字节与main开头的x字节相同
- 序列号x+0x17处开始的剩余0x2c-x个字节,需要与main偏移x+0x17处开始的0x2c-x个字节相同
- 序列号中间的0x17个字节在经过运算后,需要与
KCTF-2024-CRACK-SUCCESS
相同
这里前面和后面累计0x2C大小的字节直接从main里面找就行。中间0x17字节,可以调试给出的序列号得到
之后将三部分序列号拼接,异或回去就可以得到对应的字符串
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 | res = [ '0x68' , '0x10' , '0x21' , '0x40' , '0x00' , '0xFF' , '0x15' , '0xDC' , '0x3F' , '0x40' , '0x00' , '0x68' , '0x00' , '0x38' , '0x40' , '0x00' , '0xFF' , '0x15' , '0xD8' , '0x3F' , '0x69' , '0x34' , '0x45' , '0x23' , '0x2D' , '0x32' , '0x30' , '0x32' , '0x86' , '0xD2' , '0xA1' , '0x25' , '0x14' , '0x43' , '0x69' , '0x69' , '0x4D' , '0xAA' , '0x68' , '0x43' , '0x54' , '0x53' , '0x53' , '0x00' , '0x68' , '0xD0' , '0x3F' , '0x40' , '0x00' , '0xFF' , '0x15' , '0xD4' , '0x3F' , '0x40' , '0x00' , '0x83' , '0xC4' , '0x14' , '0xFF' , '0x15' , '0xA0' , '0x20' , '0x40' , '0x00' , '0x33' , '0xC0' , '0xC3' ] check = [ '83' , 'EC' , '4C' , 'A1' , '00' , '30' , '40' , '00' , '33' , 'C4' , '89' , '44' , '24' , '48' , '53' , '55' , '56' , '57' , 'BB' , '18' , '34' , '40' , '00' , 'E8' , 'C4' , 'FE' , 'FF' , 'FF' , '8B' , 'F0' , 'B9' , '10' , '00' , '00' , '00' , '8D' , '7C' , '24' , '14' , 'F3' , 'A5' , '66' , 'A5' , '50' , 'A4' , 'FF' , '15' , 'B0' , '20' , '40' , '00' , '8B' , '7C' , '24' , '64' , '8B' , '77' , '04' , '83' , 'C4' , '04' , '33' , 'C9' , '90' , 'B8' , '6B' , '4C' , 'A4' , '07' , 'F7' , 'E1' , 'D1' , 'EA' , '6B' , 'D2' , '43' , '8B' , 'C1' , '2B' , 'C2' , '8A' , '14' , '31' , '30' , '54' , '04' , '14' , '8D' , '44' , '04' , '14' , '41' , '81' , 'F9' , 'B9' , '02' , '00' , '00' , '7C' , 'DC' , '8A' , '4C' , '24' , '14' , 'B8' , '01' , '00' , '00' , '00' , '8D' , '49' , '00' , '8A' , '54' , '04' , '14' , '32' , '54' , '04' , '15' , '83' , 'C0' , '05' , '32' , '54' , '04' , '11' , '32' , '54' , '04' , '13' , '32' , '54' , '04' , '12' , '32' , 'CA' , '83' , 'F8' , '42' , '7C' , 'E2' , '8A' , '54' , '24' , '56' , '32' , 'D1' , '88' , '54' , '24' , '56' , '8D' , '44' , '24' , '14' , 'B9' , '42' , '00' , '00' , '00' , '30' , '10' , '40' , '83' , 'E9' , '01' , '75' , 'F8' , '8A' , '0D' , '00' , '38' , '40' , '00' , '33' , 'C0' , 'BA' , '00' , '38' , '40' , '00' , '84' , 'C9' , '74' , '1A' , '8D' , '9B' , '00' , '00' , '00' , '00' , '0F' , 'B6' , 'C9' , '33' , 'C8' , '81' , 'E1' , 'FF' , '00' , '00' , '00' , '42' , '8B' , 'C1' , '8A' , '0A' , '84' , 'C9' , '75' , 'EC' , '8B' , '37' , '83' , 'E0' , '0F' , '8D' , '44' , '44' , '14' , '8D' , '54' , '24' , '14' , '89' , '44' , '24' , '10' , '2B' , 'C2' , '85' , 'C0' , '7E' , '68' , '8B' , 'E8' , '8B' , 'FE' , '83' , 'F8' , '04' , '72' , '14' , '8B' , '0F' , '3B' , '0A' , '75' , '12' , '83' , 'ED' , '04' , '83' , 'C2' , '04' , '83' , 'C7' , '04' , '83' , 'FD' , '04' , '73' , 'EC' , '85' , 'ED' , '74' , '47' , '0F' , 'B6' , '0F' , '0F' , 'B6' , '1A' , '2B' , 'CB' , '75' , '31' , '83' , 'FD' , '01' , '76' , '38' , '0F' , 'B6' , '4F' , '01' , '0F' , 'B6' , '5A' , '01' , '2B' , 'CB' , '75' , '20' , '83' , 'FD' , '02' , '76' , '27' , '0F' , 'B6' , '4F' , '02' , '0F' , 'B6' , '5A' , '02' , '2B' , 'CB' , '75' , '0F' , '83' , 'FD' , '03' , '76' , '16' , '0F' , 'B6' , '4F' , '03' , '0F' , 'B6' , '52' , '03' , '2B' , 'CA' , 'C1' , 'F9' , '1F' , '83' , 'C9' , '01' , '0F' , '85' , 'FF' , '00' , '00' , '00' , 'BF' , '2C' , '00' , '00' , '00' , '2B' , 'F8' , '85' , 'FF' , '7E' , '71' , '8D' , '4C' , '04' , '2B' , '8D' , '54' , '30' , '17' , '83' , 'FF' , '04' , '72' , '19' , 'EB' , '03' , '8D' , '49' , '00' , '8B' , '02' , '3B' , '01' , '75' , '12' , '83' , 'EF' , '04' , '83' , 'C1' , '04' , '83' , 'C2' , '04' , '83' , 'FF' , '04' , '73' , 'EC' , '85' , 'FF' , '74' , '47' , '0F' , 'B6' , '02' , '0F' , 'B6' , '31' , '2B' , 'C6' , '75' , '31' , '83' , 'FF' , '01' , '76' , '38' , '0F' , 'B6' , '42' , '01' , '0F' , 'B6' , '71' , '01' , '2B' , 'C6' , '75' , '20' , '83' , 'FF' , '02' , '76' , '27' , '0F' , 'B6' , '42' , '02' , '0F' , 'B6' , '71' , '02' , '2B' , 'C6' , '75' , '0F' , '83' , 'FF' , '03' , '76' , '16' , '0F' , 'B6' , '42' , '03' , '0F' , 'B6' , '49' , '03' , '2B' , 'C1' , 'C1' , 'F8' , '1F' , '83' , 'C8' , '01' , '0F' , '85' , '83' , '00' , '00' , '00' , '8B' , '74' , '24' , '10' , '8B' , '54' , '24' , '60' , 'B9' , '05' , '00' , '00' , '00' , 'BF' , 'E8' , '3B' , '40' , '00' , 'F3' , 'A5' , '66' , 'A5' , 'A4' , '8B' , '72' , '04' , 'BD' , 'E8' , '3B' , '40' , '00' , 'BF' , '17' , '00' , '00' , '00' , '0F' , 'BE' , '16' , '8A' , '45' , '00' , '83' , 'E2' , '07' , 'B1' , '08' , '2A' , 'CA' , '8A' , 'D8' , 'D2' , 'EB' , '8B' , 'CA' , 'D2' , 'E0' , '46' , '45' , '0A' , 'D8' , '83' , 'EF' , '01' , '88' , '5D' , 'FF' , '75' , 'DF' , '8D' , '57' , '17' , 'B8' , 'F8' , '20' , '40' , '00' , 'B9' , 'E8' , '3B' , '40' , '00' , '8B' , '31' , '3B' , '30' , '75' , '2B' , '83' , 'EA' , '04' , '83' , 'C0' , '04' , '83' , 'C1' , '04' , '83' , 'FA' , '04' , '73' , 'EC' , '8A' , '10' , '3A' , '11' , '75' , '17' , '8A' , '50' , '01' , '3A' , '51' , '01' , '75' , '0F' , '8A' , '40' , '02' , '3A' , '41' , '02' , '75' , '07' , '68' , '30' , '21' , '40' , '00' , 'EB' , '05' , '68' , '40' , '21' , '40' , '00' , 'FF' , '15' , 'A4' , '20' , '40' , '00' , '8B' , '4C' , '24' , '5C' , '83' , 'C4' , '04' , '5F' , '5E' , '5D' , '5B' , '33' , 'CC' , 'E8' , '04' , '00' , '00' , '00' , '83' , 'C4' , '4C' , 'C3' , '3B' , '0D' , '00' , '30' , '40' , '00' , '75' , '02' , 'F3' , 'C3' , 'E9' , 'AC' , '02' , '00' , '00' , '68' , '8C' , '18' , '40' , '00' , 'E8' , 'A3' , '04' , '00' , '00' , 'A1' , 'B8' , '52' , '40' , '00' , 'C7' , '04' , '24' , '84' , '4F' , '40' , '00' , 'FF' , '35' , 'B4' , '52' , '40' , '00' , 'A3' , '84' , '4F' , '40' , '00' , '68' , '74' , '4F' , '40' , '00' , '68' , '78' , '4F' , '40' , '00' , '68' , '70' , '4F' , '40' , '00' , 'FF' , '15' , '98' , '20' , '40' , '00' , '83' ] def decrypt(): v7 = res[ 0x42 ] for i in range ( 66 ): temp = int (v7, 16 ) ^ int (res[i], 16 ) res[i] = hex (temp) v4 = 0 for i in range ( 66 ): v4 = v4 ^ int (res[i], 16 ) res[ 66 ] = hex (v4 ^ int (v7, 16 )) for i in range ( len (check)): temp = int (check[i], 16 ) ^ int (res[i % 67 ], 16 ) if (temp < 16 ): res[i % 67 ] = '0' + hex (temp)[ 2 :] else : res[i % 67 ] = hex (temp)[ 2 :] print (''.join(res)) if __name__ = = '__main__' : decrypt() |
[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!
赞赏
看原图
赞赏
雪币:
留言: