|
爆破还是可以试试的。
这个程序逻辑上非常简单,就俩函数,加密这块全在一个里
signed int __thiscall check(const char *this)
{
const char *v1; // esi
unsigned int v2; // kr00_4
signed int result; // eax
unsigned int v4; // edx
char v5; // al
unsigned int v6; // esi
signed int v7; // edi
int v8; // edx
v1 = this;
v2 = strlen(this);
result = 0;
if ( v2 == 20 )
{
while ( byte_40FD48[result] == (v1[result + 10] ^ 7) )
{
if ( ++result >= 10 )
{
v4 = -1;
byte_4120C0[0] = *v1;
byte_4120D1 = v1[1];
byte_4120E2 = v1[2];
byte_4120F3 = v1[3];
byte_412104 = v1[4];
byte_412115 = v1[5];
byte_412126 = v1[6];
byte_412137 = v1[7];
byte_412148 = v1[8];
v5 = v1[9];
v6 = -1;
byte_412159 = v5;
v7 = 0;
do
{
v6 = dword_40FD60[2 * (unsigned __int8)(v6 ^ byte_4120C0[v7])] ^ (v6 >> 8);
v4 = dword_40FD64[2 * (unsigned __int8)(v4 ^ byte_4120C1[v7])] ^ (v4 >> 8);
v7 += 2;
}
while ( v7 < 256 );
v8 = ~v4;
if ( ~v6 == 0xBA56C4F9 && v8 == 0xE89BA203 )
return 1;
break;
}
}
result = 0;
}
return result;
}
当循环前10次时是拿后10个字符与给定值与7异或然后比较,所以这段很容易出结果
#10-19
key = b'd\'wuh`ufj&'
flag2 = ''.join([chr(i^7) for i in key])
print(flag2)
#c program!
从这可以得到一点信息(猜)未尾不是}所以开头也不是hctf{(这个在主函数里有提示),后来看到网上唯一一个写wp的,猜前4个是hctf然后写了一个运行不了的程序其实是不对的。这个不是纯时间暴力的问题。有点猜的成分。
然后第2个猜的更重要。
第2段加密是把输入的前10个字符放到key1里然后循环256轮将v6和v4进行查key1异或再查key2再异或前3字节。这个过程只能暴力。不过v6和v4分别处理的是偶数和奇数,这个每次只暴力5个字节就行了。
但是给了尾巴后结合名字可以猜到这个应该是 xxxxxx crc program! 也就是猜到后一个字母偶数应该是c。由于暴力范围确实比较大,写程序的时候只写偶数部分,一般这个偶数爆出来了,另一半可以猜!
几个小重点
- key2用python从程序里取再打印出来,因为太大了。
- v6无符号数右移和有符号数右移是不同的
- 由于256轮总是从前向后,每爆一个字符处理所以的n轮,会减少大量的cpu时间。只是不能两组一起暴了。但是可以把程序改一下两个人一起暴。
- 同样的机器,c运行一会比python,c,java都快,暴力用c。
#include <stdio.h>
#include <stdlib.h>
int main()
{
char key1[256] = "So this is a not diffcult problem if you have a very good compute.But if you do not have a good computer.It seems that This problem will take a lot of time.But not thing is impossible.So just try it!!Some times,The thing we seem is not reall [][]()()<><>..";
int key2[512] ={0, 0, 1996959894, 4067132163, 3993919788, 3778769143, 2567524794, 324072436, 124634137, 3348797215, 1886057615, 904991772,
3915621685, 648144872, 2657392035, 3570033899, 249268274, 2329499855, 2044508324, 2024987596, 3772115230, 1809983544, 2547177864, 2575936315,
162941995, 1296289744, 2125561021, 3207089363, 3887607047, 2893594407, 2428444049, 1578318884, 498536548, 274646895, 1789927666, 3795141740,
4089016648, 4049975192, 2227061214, 51262619, 450548861, 3619967088, 1843258603, 632279923, 4107580753, 922689671, 2211677639, 3298075524,
325883990, 2592579488, 1684777152, 1760304291, 4251122042, 2075979607, 2321926636, 2312596564, 335633487, 1562183871, 1661365465, 2943781820,
4195302755, 3156637768, 2366115317, 1313733451, 997073096, 549293790, 1281953886, 3537243613, 3579855332, 3246849577, 2724688242, 871202090,
1006888145, 3878099393, 1258607687, 357341890, 3524101629, 102525238, 2768942443, 4101499445, 901097722, 2858735121, 1119000684, 1477399826,
3686517206, 1264559846, 2898065728, 3107202533, 853044451, 1845379342, 1172266101, 2677391885, 3705015759, 2361733625, 2882616665, 2125378298,
651767980, 820201905, 1373503546, 3263744690, 3369554304, 3520608582, 3218104598, 598981189, 565507253, 4151959214, 1454621731, 85089709,
3485111705, 373468761, 3099436303, 3827903834, 671266974, 3124367742, 1594198024, 1213305469, 3322730930, 1526817161, 2970347812, 2842354314,
795835527, 2107672161, 1483230225, 2412447074, 3244367275, 2627466902, 3060149565, 1861252501, 1994146192, 1098587580, 31158534, 3004210879,
2563907772, 2688576843, 4023717930, 1378610760, 1907459465, 2262928035, 112637215, 1955203488, 2680153253, 1742404180, 3904427059, 2511436119,
2013776290, 3416409459, 251722036, 969524848, 2517215374, 714683780, 3775830040, 3639785095, 2137656763, 205050476, 141376813, 4266873199,
2439277719, 3976438427, 3865271297, 526918040, 1802195444, 1361435347, 476864866, 2739821008, 2238001368, 2954799652, 4066508878, 1114974503,
1812370925, 2529119692, 453092731, 1691668175, 2181625025, 2005155131, 4111451223, 2247081528, 1706088902, 3690758684, 314042704, 697762079,
2344532202, 986182379, 4240017532, 3366744552, 1658658271, 476452099, 366619977, 3993867776, 2362670323, 4250756596, 4224994405, 255256311,
1303535960, 1640403810, 984961486, 2477592673, 2747007092, 2164122517, 3569037538, 1922457750, 1256170817, 2791048317, 1037604311, 1412925310,
2765210733, 1197962378, 3554079995, 3037525897, 1131014506, 3944729517, 879679996, 427051182, 2909243462, 170179418, 3663771856, 4165941337,
1141124467, 746937522, 855842277, 3740196785, 2852801631, 3451792453, 3708648649, 1070968646, 1342533948, 1905808397, 654459306, 2213795598,
3188396048, 2426610938, 3373015174, 1657317369, 1466479909, 3053634322, 544179635, 1147748369, 3110523913, 1463399397, 3462522015, 2773627110,
1591671054, 4215344322, 702138776, 153784257, 2966460450, 444234805, 3352799412, 3893493558, 1504918807, 1021025245, 783551873, 3467647198,
3082640443, 3722505002, 3233442989, 797665321, 3988292384, 2197175160, 2596254646, 1889384571, 62317068, 1674398607, 1957810842, 2443626636,
3939845945, 1164749927, 2647816111, 3070701412, 81470997, 2757221520, 1943803523, 1446797203, 3814918930, 137323447, 2489596804, 4198817972,
225274430, 3910406976, 2053790376, 461344835, 3826175755, 3484808360, 2466906013, 1037989803, 167816743, 781091935, 2097651377, 3705997148,
4027552580, 2460548119, 2265490386, 1623424788, 503444072, 1939049696, 1762050814, 2180517859, 4150417245, 1429367560, 2154129355, 2807687179,
426522225, 3020495871, 1852507879, 1180866812, 4275313526, 410100952, 2312317920, 3927582683, 282753626, 4182430767, 1742555852, 186734380,
4189708143, 3756733383, 2394877945, 763408580, 397917763, 1053836080, 1622183637, 3434856499, 3604390888, 2722870694, 2714866558, 1344288421,
953729732, 1131464017, 1340076626, 2971354706, 3518719985, 1708204729, 2797360999, 2545590714, 1068828381, 2229949006, 1219638859, 1988219213,
3624741850, 680717673, 2936675148, 3673779818, 906185462, 3383336350, 1090812512, 1002577565, 3747672003, 4010310262, 2825379669, 493091189,
829329135, 238226049, 1181335161, 4233660802, 3412177804, 2987750089, 3160834842, 1082061258, 628085408, 1395524158, 1382605366, 2705686845,
3423369109, 1972364758, 3138078467, 2279892693, 570562233, 2494862625, 1426400815, 1725896226, 3317316542, 952904198, 2998733608, 3399985413,
733239954, 3656866545, 1555261956, 731699698, 3268935591, 4283874585, 3050360625, 222117402, 752459403, 510512622, 1541320221, 3959836397,
2607071920, 3280807620, 3965973030, 837199303, 1969922972, 582374963, 40735498, 3504198960, 2617837225, 68661723, 3943577151, 4135334616,
1913087877, 3844915500, 83908371, 390545967, 2512341634, 1230274059, 3803740692, 3141532936, 2075208622, 2825850620, 213261112, 1510247935,
2463272603, 2395924756, 3855990285, 2091215383, 2094854071, 1878366691, 198958881, 2644384480, 2262029012, 3553878443, 4057260610, 565732008,
1759359992, 854102364, 534414190, 3229815391, 2176718541, 340358836, 4139329115, 3861050807, 1873836001, 4117890627, 414664567, 119113024,
2282248934, 1493875044, 4279200368, 2875275879, 1711684554, 3090270611, 285281116, 1247431312, 2405801727, 2660249211, 4167216745, 1828433272,
1634467795, 2141937292, 376229701, 2378227087, 2685067896, 3811616794, 3608007406, 291187481, 1308918612, 34330861, 956543938, 4032846830,
2808555105, 615137029, 3495958263, 3603020806, 1231636301, 3314634738, 1047427035, 939183345, 2932959818, 1776939221, 3654703836, 2609017814,
1088359270, 2295496738, 936918000, 2058945313, 2847714899, 2926798794, 3736837829, 1545135305, 1202900863, 1330124605, 817233897, 3173225534,
3183342108, 4084100981, 3401237130, 17165430, 1404277552, 307568514, 615818150, 3762199681, 3134207493, 888469610, 3453421203, 3332340585,
1423857449, 3587147933, 601450431, 665062302, 3009837614, 2042050490, 3294710456, 2346497209, 1567103746, 2559330125, 711928724, 1793573966,
3020668471, 3190661285, 3272380065, 1279665062, 1510334235, 1595330642, 755167117, 2910671697};
int v7=0;
for(unsigned char i=0x20;i<0x80;i++){
printf("%d %c\n", i,i);
key1[0] = i;
unsigned int tv6 = -1;
for(v7=0;v7<34;v7+=2)tv6 = key2[2 * (unsigned char)(tv6 ^ key1[v7])] ^ (tv6 >> 8);
for(unsigned char j=0x20;j<0x80;j++){
key1[34] = j;
unsigned int yv6 = tv6;
for(v7=34;v7<68;v7+=2)yv6 = key2[2 * (unsigned char)(yv6 ^ key1[v7])] ^ (yv6 >> 8);
for(unsigned char k=0x20;k<0x80;k++){
key1[68] = k;
unsigned int uv6 = yv6;
for(v7=68;v7<102;v7+=2)uv6 = key2[2 * (unsigned char)(uv6 ^ key1[v7])] ^ (uv6 >> 8);
for(unsigned char l=0x20;l<0x80;l++){
key1[102] = l;
unsigned int iv6 = uv6;
for(v7=102;v7<136;v7+=2)iv6 = key2[2 * (unsigned char)(iv6 ^ key1[v7])] ^ (iv6 >> 8);
for(unsigned char m=99;m<100;m++){ // crc program!
key1[136] = m;
unsigned int ov6 = iv6;
for(v7=136;v7<0x100;v7+=2)ov6 = key2[2 * (unsigned char)(ov6 ^ key1[v7])] ^ (ov6 >> 8);
if(~ov6 == 0xBA56C4F9){
printf("%c %c %c %c %c [%d %d %d %d %d]\n",i,j,k,l,m,i,j,k,l,m);
return 0;
}
}
}
}
}
}
puts("fail");
return 0;
}
很快可以暴到结果:
#I? ?s?a?c?c program!
#猜
#It is a crc program!
#hctf{It is a crc program!}
|