-
-
[原创]KCTF2025 day10 wp
-
发表于: 2025-9-3 16:50
-
没有任何技巧, 只有数据流追踪
输入的数据第一步处理在0000000140044310, 大概可以看出来是一个将数据转化为二进制串的函数, 第一个参数是结果, 第二个参数为要转化的数据, 最后是要转化成的长度, 只是把0换成2, 1换成3然后拼接每一次转化的结果, 以16字节为一块:
然后就是不停下硬件断点跟踪, 直到进到000000014000E5A0进行了第二步处理, 第一步处理得到的binstr的每一位作为一级索引, 配合一个同样由2和3组成的key在一张9 * 9的表(00000001400C10C0)中取值:
再继续跟这一步得到的密文, 在sub_14000CB50进行了最终校验.
然后在拼接完二进制字符串后的00000001400587A6下断点进行加密轮次分析, 一共断下3次, 说明密文长度应该为0x30, 然后就是跟踪每一块的二进制字符串到加密和校验部分分别获取key和密文, 其中加密函数在程序运行中大概要被调用30000多次, 所以还是使用数据追踪的方式获取key, keygen如下:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 | from Crypto.Util.number import long_to_bytesdef bin2long(bs): if isinstance(bs, list): bs = bytes(bs) return int(''.join(bs.replace(b'\x02', b'0').replace(b'\x03', b'1').decode()), 2)key = [0x3,0x2,0x3,0x3,0x3,0x3,0x3,0x2,0x2,0x2,0x3,0x2,0x2,0x3,0x3,0x3,0x2,0x3,0x2,0x2,0x3,0x3,0x3,0x3,0x2,0x2,0x3,0x2,0x3,0x3,0x3,0x2,0x3,0x2,0x2,0x3,0x3,0x3,0x2,0x2,0x3,0x2,0x3,0x3,0x3,0x3,0x2,0x3,0x2,0x3,0x2,0x3,0x2,0x3,0x3,0x3,0x2,0x2,0x2,0x3,0x2,0x2,0x2,0x2,0x3,0x2,0x2,0x3,0x2,0x2,0x2,0x3,0x3,0x3,0x2,0x2,0x3,0x3,0x3,0x2,0x3,0x3,0x3,0x2,0x2,0x2,0x2,0x3,0x3,0x3,0x2,0x2,0x2,0x3,0x2,0x3,0x2,0x3,0x2,0x3,0x2,0x2,0x3,0x3,0x3,0x3,0x3,0x3,0x3,0x2,0x2,0x2,0x3,0x3,0x3,0x3,0x3,0x3,0x2,0x3,0x3,0x3,0x2,0x2,0x3,0x2,0x2,0x2,0x3,0x3,0x2,0x3,0x2,0x2,0x2,0x3,0x2,0x3,0x3,0x2,0x3,0x3,0x3,0x3,0x3,0x2,0x2,0x2,0x3,0x3,0x2,0x3,0x2,0x3,0x2,0x3,0x2,0x2,0x3,0x2,0x2,0x2,0x2,0x2,0x2,0x2,0x2,0x2,0x3,0x2,0x2,0x2,0x3,0x2,0x2,0x2,0x2,0x3,0x2,0x2,0x3,0x2,0x2,0x3,0x3,0x2,0x2,0x3,0x2,0x3,0x2,0x2,0x2,0x3,0x3,0x3,0x2,0x2,0x2,0x2,0x3,0x3,0x2,0x2,0x3,0x3,0x2,0x2,0x3,0x2,0x3,0x2,0x3,0x2,0x3,0x2,0x2,0x3,0x3,0x2,0x3,0x3,0x3,0x3,0x3,0x3,0x3,0x3,0x2,0x3,0x3,0x2,0x3,0x3,0x3,0x3,0x3,0x3,0x3,0x2,0x3,0x2,0x3,0x2,0x2,0x2,0x3,0x3,0x2,0x3,0x3,0x3,0x2,0x2,0x3,0x2,0x2,0x3,0x2,0x2,0x2,0x3,0x3,0x3,0x3,0x2,0x2,0x2,0x2,0x2,0x2,0x3,0x3,0x2,0x3,0x3,0x2,0x3,0x2,0x2,0x2,0x3,0x2,0x3,0x3,0x2,0x3,0x3,0x2,0x3,0x2,0x3,0x2,0x2,0x3,0x2,0x2,0x3,0x3,0x3,0x2,0x3,0x2,0x2,0x3,0x3,0x3,0x2,0x3,0x2,0x2,0x2,0x3,0x2,0x3,0x3,0x3,0x2,0x2,0x2,0x2,0x2,0x2,0x2,0x3,0x3,0x3,0x2,0x2,0x2,0x2,0x3,0x3,0x3,0x3,0x2,0x3,0x2,0x3,0x2,0x3,0x2,0x2,0x3,0x2,0x3,0x2,0x2,0x2,0x3,0x2,0x2,0x2,0x3,0x2,0x3,0x3,0x2,0x2,0x3,0x2,0x2,0x3,0x3,0x2,0x3,0x2,0x3,0x3,0x2,0x3,0x3,0x3,0x3,0x3,0x2,0x2,0x3,0x3,0x3,0x3,0x2,0x3,0x3]key = [key[0x80 * i : 0x80 * (i + 1)] for i in range(len(key) // 0x80)]enc = [0x3,0x3,0x3,0x3,0x2,0x3,0x2,0x3,0x2,0x3,0x3,0x2,0x2,0x3,0x2,0x2,0x2,0x2,0x2,0x3,0x3,0x2,0x3,0x3,0x2,0x3,0x3,0x2,0x3,0x2,0x2,0x2,0x3,0x3,0x3,0x2,0x2,0x3,0x3,0x3,0x3,0x2,0x2,0x2,0x2,0x3,0x2,0x3,0x2,0x3,0x3,0x2,0x2,0x2,0x3,0x3,0x2,0x3,0x3,0x3,0x2,0x3,0x2,0x3,0x3,0x2,0x3,0x2,0x2,0x2,0x3,0x2,0x3,0x3,0x3,0x3,0x3,0x3,0x2,0x2,0x3,0x3,0x2,0x3,0x2,0x2,0x3,0x3,0x3,0x3,0x3,0x3,0x3,0x3,0x2,0x2,0x2,0x2,0x3,0x3,0x2,0x2,0x2,0x2,0x3,0x3,0x2,0x3,0x2,0x3,0x2,0x3,0x3,0x3,0x2,0x2,0x3,0x3,0x3,0x2,0x3,0x3,0x3,0x3,0x3,0x2,0x2,0x3,0x3,0x3,0x3,0x2,0x2,0x2,0x2,0x3,0x2,0x2,0x2,0x2,0x3,0x3,0x2,0x3,0x3,0x2,0x3,0x2,0x2,0x2,0x2,0x2,0x2,0x3,0x3,0x2,0x2,0x3,0x3,0x2,0x2,0x3,0x3,0x2,0x2,0x2,0x2,0x3,0x3,0x2,0x3,0x3,0x2,0x2,0x2,0x3,0x2,0x2,0x3,0x2,0x3,0x2,0x3,0x3,0x3,0x2,0x3,0x3,0x3,0x2,0x2,0x3,0x2,0x3,0x2,0x2,0x3,0x2,0x2,0x3,0x3,0x3,0x3,0x3,0x2,0x3,0x2,0x3,0x3,0x2,0x2,0x3,0x3,0x3,0x2,0x3,0x2,0x3,0x2,0x3,0x3,0x2,0x2,0x2,0x3,0x3,0x2,0x3,0x3,0x2,0x3,0x3,0x3,0x2,0x2,0x3,0x3,0x3,0x2,0x2,0x3,0x2,0x2,0x3,0x2,0x2,0x2,0x3,0x2,0x3,0x2,0x2,0x2,0x2,0x3,0x2,0x2,0x2,0x3,0x2,0x2,0x2,0x3,0x3,0x3,0x3,0x3,0x2,0x2,0x2,0x3,0x3,0x3,0x2,0x2,0x2,0x2,0x2,0x3,0x2,0x2,0x3,0x3,0x2,0x2,0x2,0x3,0x3,0x2,0x3,0x3,0x2,0x3,0x2,0x3,0x3,0x2,0x2,0x2,0x3,0x2,0x2,0x2,0x2,0x3,0x3,0x2,0x3,0x3,0x3,0x3,0x3,0x3,0x2,0x2,0x2,0x3,0x2,0x2,0x2,0x2,0x2,0x3,0x3,0x3,0x3,0x3,0x3,0x2,0x3,0x3,0x2,0x2,0x2,0x3,0x3,0x3,0x2,0x3,0x2,0x3,0x2,0x2,0x3,0x2,0x3,0x2,0x2,0x2,0x3,0x2,0x2,0x2,0x3,0x2,0x3,0x3,0x2,0x2,0x3,0x2,0x2,0x3,0x3,0x2,0x3,0x2,0x3,0x3,0x2,0x3,0x3,0x3,0x3,0x3,0x2,0x2,0x3,0x3,0x3,0x3,0x2,0x3,0x3]table = [0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x0, 0x1, 0x2, 0x3, 0x1, 0x1, 0x2, 0x3, 0x1, 0x0, 0x1, 0x3, 0x2, 0x1, 0x1, 0x3, 0x2, 0x1, 0x0, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x0, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x0, 0x1, 0x2, 0x3, 0x1, 0x1, 0x2, 0x3, 0x1, 0x0, 0x1, 0x3, 0x2, 0x1, 0x1, 0x3, 0x2, 0x1, 0x0, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1, 0x1]enc = [enc[0x80 * i : 0x80 * (i + 1)] for i in range(len(enc) // 0x80)]ans = b''for idx, e in enumerate(enc): pans = [] for i, b in enumerate(e): if b == table[key[idx][i] + 9 * 2]: pans.append(2) else: pans.append(3) ans += long_to_bytes(bin2long(pans))print(ans) |
|
|
|---|---|
