第七题星际移民_WP-CTF对抗-看雪-安全社区|安全招聘|kanxue.com

第七题星际移民_WP

发表于: 2024-8-29 11:18 542

第七题星际移民_WP

onetry

2024-8-29 11:18

542

该题的主要逻辑在0x401120开始处的函数，开始会将输入的序列号格式化成67字节，然后与该函数起始处0x2B9长度的字节进行循环异或

这里如果提前下断就会导致原本的字节变成0xCC从而影响运算的结果，在调试给出的序列号时，可以在0x401184处下断，然后将序列号0x21处的值改为0x90（原本是0xD6）从而避免断点影响结果，后面就可以正常下断了

接下来会将前66个字节互相异或，得到v4，再将v4与第67个字节进行异或，得到v7，同时更新第67个字节为v7

之后会通过对用户名进行各自异或算出一个长度，假设是x

之后会对序列号进行check，需要满足如下条件：

序列号前x字节与main开头的x字节相同
序列号x+0x17处开始的剩余0x2c-x个字节，需要与main偏移x+0x17处开始的0x2c-x个字节相同
序列号中间的0x17个字节在经过运算后，需要与KCTF-2024-CRACK-SUCCESS相同

这里前面和后面累计0x2C大小的字节直接从main里面找就行。中间0x17字节，可以调试给出的序列号得到

之后将三部分序列号拼接，异或回去就可以得到对应的字符串

res = ['0x68', '0x10', '0x21', '0x40', '0x00', '0xFF', '0x15', '0xDC', '0x3F', '0x40', '0x00', '0x68', '0x00', '0x38', '0x40', '0x00', '0xFF', '0x15', '0xD8', '0x3F', '0x69', '0x34', '0x45', '0x23', '0x2D', '0x32', '0x30', '0x32', '0x86', '0xD2', '0xA1', '0x25', '0x14', '0x43', '0x69', '0x69', '0x4D', '0xAA', '0x68', '0x43', '0x54', '0x53', '0x53', '0x00', '0x68', '0xD0', '0x3F', '0x40', '0x00', '0xFF', '0x15', '0xD4', '0x3F', '0x40', '0x00', '0x83', '0xC4', '0x14', '0xFF', '0x15', '0xA0', '0x20', '0x40', '0x00', '0x33', '0xC0', '0xC3']
check = ['83', 'EC', '4C', 'A1', '00', '30', '40', '00', '33', 'C4', '89', '44', '24', '48', '53', '55', '56', '57', 'BB', '18', '34', '40', '00', 'E8', 'C4', 'FE', 'FF', 'FF', '8B', 'F0', 'B9', '10', '00', '00', '00', '8D', '7C', '24', '14', 'F3', 'A5', '66', 'A5', '50', 'A4', 'FF', '15', 'B0', '20', '40', '00', '8B', '7C', '24', '64', '8B', '77', '04', '83', 'C4', '04', '33', 'C9', '90', 'B8', '6B', '4C', 'A4', '07', 'F7', 'E1', 'D1', 'EA', '6B', 'D2', '43', '8B', 'C1', '2B', 'C2', '8A', '14', '31', '30', '54', '04', '14', '8D', '44', '04', '14', '41', '81', 'F9', 'B9', '02', '00', '00', '7C', 'DC', '8A', '4C', '24', '14', 'B8', '01', '00', '00', '00', '8D', '49', '00', '8A', '54', '04', '14', '32', '54', '04', '15', '83', 'C0', '05', '32', '54', '04', '11', '32', '54', '04', '13', '32', '54', '04', '12', '32', 'CA', '83', 'F8', '42', '7C', 'E2', '8A', '54', '24', '56', '32', 'D1', '88', '54', '24', '56', '8D', '44', '24', '14', 'B9', '42', '00', '00', '00', '30', '10', '40', '83', 'E9', '01', '75', 'F8', '8A', '0D', '00', '38', '40', '00', '33', 'C0', 'BA', '00', '38', '40', '00', '84', 'C9', '74', '1A', '8D', '9B', '00', '00', '00', '00', '0F', 'B6', 'C9', '33', 'C8', '81', 'E1', 'FF', '00', '00', '00', '42', '8B', 'C1', '8A', '0A', '84', 'C9', '75', 'EC', '8B', '37', '83', 'E0', '0F', '8D', '44', '44', '14', '8D', '54', '24', '14', '89', '44', '24', '10', '2B', 'C2', '85', 'C0', '7E', '68', '8B', 'E8', '8B', 'FE', '83', 'F8', '04', '72', '14', '8B', '0F', '3B', '0A', '75', '12', '83', 'ED', '04', '83', 'C2', '04', '83', 'C7', '04', '83', 'FD', '04', '73', 'EC', '85', 'ED', '74', '47', '0F', 'B6', '0F', '0F', 'B6', '1A', '2B', 'CB', '75', '31', '83', 'FD', '01', '76', '38', '0F', 'B6', '4F', '01', '0F', 'B6', '5A', '01', '2B', 'CB', '75', '20', '83', 'FD', '02', '76', '27', '0F', 'B6', '4F', '02', '0F', 'B6', '5A', '02', '2B', 'CB', '75', '0F', '83', 'FD', '03', '76', '16', '0F', 'B6', '4F', '03', '0F', 'B6', '52', '03', '2B', 'CA', 'C1', 'F9', '1F', '83', 'C9', '01', '0F', '85', 'FF', '00', '00', '00', 'BF', '2C', '00', '00', '00', '2B', 'F8', '85', 'FF', '7E', '71', '8D', '4C', '04', '2B', '8D', '54', '30', '17', '83', 'FF', '04', '72', '19', 'EB', '03', '8D', '49', '00', '8B', '02', '3B', '01', '75', '12', '83', 'EF', '04', '83', 'C1', '04', '83', 'C2', '04', '83', 'FF', '04', '73', 'EC', '85', 'FF', '74', '47', '0F', 'B6', '02', '0F', 'B6', '31', '2B', 'C6', '75', '31', '83', 'FF', '01', '76', '38', '0F', 'B6', '42', '01', '0F', 'B6', '71', '01', '2B', 'C6', '75', '20', '83', 'FF', '02', '76', '27', '0F', 'B6', '42', '02', '0F', 'B6', '71', '02', '2B', 'C6', '75', '0F', '83', 'FF', '03', '76', '16', '0F', 'B6', '42', '03', '0F', 'B6', '49', '03', '2B', 'C1', 'C1', 'F8', '1F', '83', 'C8', '01', '0F', '85', '83', '00', '00', '00', '8B', '74', '24', '10', '8B', '54', '24', '60', 'B9', '05', '00', '00', '00', 'BF', 'E8', '3B', '40', '00', 'F3', 'A5', '66', 'A5', 'A4', '8B', '72', '04', 'BD', 'E8', '3B', '40', '00', 'BF', '17', '00', '00', '00', '0F', 'BE', '16', '8A', '45', '00', '83', 'E2', '07', 'B1', '08', '2A', 'CA', '8A', 'D8', 'D2', 'EB', '8B', 'CA', 'D2', 'E0', '46', '45', '0A', 'D8', '83', 'EF', '01', '88', '5D', 'FF', '75', 'DF', '8D', '57', '17', 'B8', 'F8', '20', '40', '00', 'B9', 'E8', '3B', '40', '00', '8B', '31', '3B', '30', '75', '2B', '83', 'EA', '04', '83', 'C0', '04', '83', 'C1', '04', '83', 'FA', '04', '73', 'EC', '8A', '10', '3A', '11', '75', '17', '8A', '50', '01', '3A', '51', '01', '75', '0F', '8A', '40', '02', '3A', '41', '02', '75', '07', '68', '30', '21', '40', '00', 'EB', '05', '68', '40', '21', '40', '00', 'FF', '15', 'A4', '20', '40', '00', '8B', '4C', '24', '5C', '83', 'C4', '04', '5F', '5E', '5D', '5B', '33', 'CC', 'E8', '04', '00', '00', '00', '83', 'C4', '4C', 'C3', '3B', '0D', '00', '30', '40', '00', '75', '02', 'F3', 'C3', 'E9', 'AC', '02', '00', '00', '68', '8C', '18', '40', '00', 'E8', 'A3', '04', '00', '00', 'A1', 'B8', '52', '40', '00', 'C7', '04', '24', '84', '4F', '40', '00', 'FF', '35', 'B4', '52', '40', '00', 'A3', '84', '4F', '40', '00', '68', '74', '4F', '40', '00', '68', '78', '4F', '40', '00', '68', '70', '4F', '40', '00', 'FF', '15', '98', '20', '40', '00', '83']
 
def decrypt():
    v7 = res[0x42]
    for i in range(66):
        temp = int(v7, 16) ^ int(res[i], 16)
        res[i] = hex(temp)
 
    v4 = 0
    for i in range(66):
        v4 = v4 ^ int(res[i], 16)
    res[66] = hex(v4 ^ int(v7, 16))
 
    for i in range(len(check)):
        temp = int(check[i], 16) ^ int(res[i%67], 16)
        if(temp < 16):
            res[i%67] = '0'+hex(temp)[2:]
        else:
            res[i%67] = hex(temp)[2:]
            
    print(''.join(res))
 
if __name__ == '__main__':
    decrypt()