首页
社区
课程
招聘
[原创]KCTF 2024 第七题 星际移民 WriteUp
发表于: 2024-8-29 17:57 4260

[原创]KCTF 2024 第七题 星际移民 WriteUp

2024-8-29 17:57
4260

用ida打开, 先给一些全局变量改个名;

首先是第一段:

其中a1是off_403FD0:

所以a1[1]应该是指向sub_401120函数的指针, 其中的数据就是该函数的字节码

反向计算操作相同;
之后

交换一下j += 5for里的v4 ^= serial[j - 2] ^ serial[j - 1] ^ serial[j - 3] ^ v6, j += 5是先执行的:

可以转化为:

其反向计算为

下一段先备好xor_char2

之后分析下一段:

sep(2 * (xor_char2 & 0xF)), sep+23serial分成三段, 将前后两段与main_code对应位置内容比较, 需要相同否则就会fail
下一段是:

qmemcpy复制了20字节, _WORD指针从10*2=20继续复制2字节, _BYTE指针复制1字节, 总共从serial_23复制了23字节
下一段为:

是通过<<>>以code_401120的数据为基准做一个循环移位操作
python实现为

其反向操作为

最后一段将serial_23KCTF-2024-CRACK-SUCCESS比较:

最后的python代码是:

int __cdecl main(int argc, const char **argv, const char **envp)
{
  printf_1("Input User:\n");
  gets_1(&user);
  printf_1("Input Serial:\n");
  gets_1(&serial);
  off_403FD4(&off_403FD0);
  getchar();
  return 0;
}
int __cdecl main(int argc, const char **argv, const char **envp)
{
  printf_1("Input User:\n");
  gets_1(&user);
  printf_1("Input Serial:\n");
  gets_1(&serial);
  off_403FD4(&off_403FD0);
  getchar();
  return 0;
}
int __cdecl sub_401120(unsigned __int8 **a1) // off_403FD4
{
    tmp = hex2bin_401000(::serial);
    qmemcpy(serial, tmp, 0x43u);
    free(tmp);
    v2 = a1[1];
    for ( i = 0; i < 0x2B9; ++i )
    serial[i % 0x43u] ^= v2[i];
}
int __cdecl sub_401120(unsigned __int8 **a1) // off_403FD4
{
    tmp = hex2bin_401000(::serial);
    qmemcpy(serial, tmp, 0x43u);
    free(tmp);
    v2 = a1[1];
    for ( i = 0; i < 0x2B9; ++i )
    serial[i % 0x43u] ^= v2[i];
}
.data:00403FD0 off_403FD0      dd offset _main         ; DATA XREF: _main+2C↑o
.data:00403FD0                                         ; .data:0040302C↑o
.data:00403FD4 ; _DWORD (__cdecl *off_403FD4)(_DWORD)
.data:00403FD4 off_403FD4      dd offset sub_401120    ; DATA XREF: _main+31↑r
.data:00403FD8 ; int (__cdecl *gets_1)(_DWORD)
.data:00403FD8 gets_1          dd 0                    ; DATA XREF: _main+10↑r
.data:00403FD8                                         ; _main+26↑r ...
.data:00403FD0 off_403FD0      dd offset _main         ; DATA XREF: _main+2C↑o
.data:00403FD0                                         ; .data:0040302C↑o
.data:00403FD4 ; _DWORD (__cdecl *off_403FD4)(_DWORD)
.data:00403FD4 off_403FD4      dd offset sub_401120    ; DATA XREF: _main+31↑r
.data:00403FD8 ; int (__cdecl *gets_1)(_DWORD)
.data:00403FD8 gets_1          dd 0                    ; DATA XREF: _main+10↑r
.data:00403FD8                                         ; _main+26↑r ...
bin = open('decode.exe', 'rb').read()
# hexview 00401000  83 EC 18 A1 00 30 40 00  33 C4 89 44 24 14 85 DB
text_base = bin.find(b'\x83\xec\x18\xa1')
code_401120 = bin[text_base+0x120:text_base+0x120+0x2B9]
 
for i in range(697):
    serial[i%0x43] ^= code_401120[i]
bin = open('decode.exe', 'rb').read()
# hexview 00401000  83 EC 18 A1 00 30 40 00  33 C4 89 44 24 14 85 DB
text_base = bin.find(b'\x83\xec\x18\xa1')
code_401120 = bin[text_base+0x120:text_base+0x120+0x2B9]
 
for i in range(697):
    serial[i%0x43] ^= code_401120[i]
v4 = serial[0];
for ( j = 1; j < 66; v4 ^= serial[j - 2] ^ serial[j - 1] ^ serial[j - 3] ^ v6 )
  {
    v6 = serial[j + 1] ^ serial[j];
    j += 5;
  }
  v7 = v4 ^ serial[66];
  serial[66] ^= v4;
  v8 = serial;
  v9 = 66;
  do
  {
    *v8++ ^= v7;
    --v9;
  }
  while ( v9 );
v4 = serial[0];
for ( j = 1; j < 66; v4 ^= serial[j - 2] ^ serial[j - 1] ^ serial[j - 3] ^ v6 )
  {
    v6 = serial[j + 1] ^ serial[j];
    j += 5;
  }
  v7 = v4 ^ serial[66];
  serial[66] ^= v4;
  v8 = serial;
  v9 = 66;
  do
  {
    *v8++ ^= v7;
    --v9;
  }
  while ( v9 );
v4 = serial[0];
for ( j = 1; j < 66; j += 5 )
  {
    v6 = serial[j + 1] ^ serial[j];
    v4 ^= serial[j + 3] ^ serial[j + 4] ^ serial[j + 2] ^ v6;
  }
  v7 = v4 ^ serial[66];
  serial[66] ^= v4;
  v8 = serial;
  v9 = 66;
  do
  {
    *v8++ ^= v7;
    --v9;
  }
  while ( v9 );
v4 = serial[0];
for ( j = 1; j < 66; j += 5 )
  {
    v6 = serial[j + 1] ^ serial[j];
    v4 ^= serial[j + 3] ^ serial[j + 4] ^ serial[j + 2] ^ v6;
  }
  v7 = v4 ^ serial[66];
  serial[66] ^= v4;
  v8 = serial;
  v9 = 66;
  do
  {
    *v8++ ^= v7;
    --v9;
  }
  while ( v9 );
xor_char = 0
for i in range(66):
    xor_char ^= serial[i]
serial[66] ^= xor_char
 
xor_char = serial[66]
for i in range(66):
    serial[i] ^= xor_char
xor_char = 0
for i in range(66):
    xor_char ^= serial[i]
serial[66] ^= xor_char
 
xor_char = serial[66]
for i in range(66):
    serial[i] ^= xor_char
xor_char = serial[66]
for i in range(66):
    serial[i] ^= xor_char
 
xor_char = 0
for i in range(66):
    xor_char ^= serial[i]
serial[66] ^= xor_char
xor_char = serial[66]
for i in range(66):
    serial[i] ^= xor_char
 
xor_char = 0
for i in range(66):
    xor_char ^= serial[i]
serial[66] ^= xor_char
v10 = user;
xor_char2 = 0;
v12 = &user;
if ( user )
{
  do
  {
    ++v12;
    xor_char2 ^= v10;
    v10 = *v12;
  }
  while ( *v12 );
}
v10 = user;
xor_char2 = 0;
v12 = &user;
if ( user )
{
  do
  {
    ++v12;
    xor_char2 ^= v10;
    v10 = *v12;
  }
  while ( *v12 );
}
user = b'KCTF'
xor_char2 = 0
for i in range(4):
    xor_char2 ^= user[i]
user = b'KCTF'
xor_char2 = 0
for i in range(4):
    xor_char2 ^= user[i]
  main_code = *a1;
  p_serial = serial;
  serial_23 = &serial[2 * (xor_char2 & 0xF)];
  sep = 2 * (xor_char2 & 0xF);
  if ( sep >= 0 && serial_23 != serial )
  {
    size = sep;
    pmain_code = main_code;
    if ( (unsigned int)sep < 4 )
    {
LABEL_13:
      if ( !size )
        goto LABEL_22;
    }
    else
    {
      while ( *(_DWORD *)pmain_code == *(_DWORD *)p_serial )
      {
        size -= 4;
        p_serial += 4;
        pmain_code += 4;
        if ( size < 4 )
          goto LABEL_13;
      }
    }
    v18 = *pmain_code - *p_serial;
    if ( !v18 )
    {
      if ( size <= 1 )
        goto LABEL_22;
      v18 = pmain_code[1] - p_serial[1];
      if ( !v18 )
      {
        if ( size <= 2 )
          goto LABEL_22;
        v18 = pmain_code[2] - p_serial[2];
        if ( !v18 )
        {
          if ( size <= 3 )
            goto LABEL_22;
          v18 = pmain_code[3] - p_serial[3];
        }
      }
    }
    if ( (v18 >> 31) | 1 )
      return printf("fail.\n");
  }
LABEL_22:
  v19 = 44 - sep;
  if ( 44 - sep > 0 )
  {
    v20 = &serial[sep + 23];
    v21 = &main_code[sep + 23];
    if ( v19 < 4 )
    {
LABEL_26:
      if ( !v19 )
        goto LABEL_35;
    }
    else
    {
      while ( *(_DWORD *)v21 == *(_DWORD *)v20 )
      {
        v19 -= 4;
        v20 += 4;
        v21 += 4;
        if ( v19 < 4 )
          goto LABEL_26;
      }
    }
    v22 = *v21 - *v20;
    if ( v22 )
      goto LABEL_34;
    if ( v19 > 1 )
    {
      v22 = v21[1] - v20[1];
      if ( v22 )
        goto LABEL_34;
      if ( v19 > 2 )
      {
        v22 = v21[2] - v20[2];
        if ( v22 )
          goto LABEL_34;
        if ( v19 > 3 )
        {
          v22 = v21[3] - v20[3];
LABEL_34:
          if ( (v22 >> 31) | 1 )
            return printf("fail.\n");
        }
      }
    }
  }
  main_code = *a1;
  p_serial = serial;
  serial_23 = &serial[2 * (xor_char2 & 0xF)];
  sep = 2 * (xor_char2 & 0xF);
  if ( sep >= 0 && serial_23 != serial )
  {
    size = sep;
    pmain_code = main_code;
    if ( (unsigned int)sep < 4 )
    {
LABEL_13:
      if ( !size )
        goto LABEL_22;
    }
    else
    {
      while ( *(_DWORD *)pmain_code == *(_DWORD *)p_serial )
      {
        size -= 4;
        p_serial += 4;
        pmain_code += 4;
        if ( size < 4 )
          goto LABEL_13;
      }
    }
    v18 = *pmain_code - *p_serial;
    if ( !v18 )
    {
      if ( size <= 1 )
        goto LABEL_22;
      v18 = pmain_code[1] - p_serial[1];
      if ( !v18 )
      {
        if ( size <= 2 )
          goto LABEL_22;
        v18 = pmain_code[2] - p_serial[2];
        if ( !v18 )

[注意]传递专业知识、拓宽行业人脉——看雪讲师团队等你加入!

收藏
免费 2
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//