当前位置:网站首页>DSACTF7月re
DSACTF7月re
2022-07-28 18:10:00 【雨后初霁&】
DSACTF—re部分解
隐秘的角落
go语言是这种风格,不好定位主函数
用字符串定位
找到key为thisiskkk
密文也找到了
发现在初始化中对密文有操作
所以EXP
import hashlib
m = hashlib.md5()
enc=[ 0xD8, 0xE5, 0x85, 0xBE, 0xE7, 0xF8, 0x58, 0x75, 0x95, 0x65,
0x85, 0xE3, 0xA6, 0x47, 0x59, 0xB9, 0x14, 0x6F, 0x33, 0xB5,
0xCA, 0x84, 0x0B, 0xE7, 0x92, 0x0E, 0xD2, 0xFD, 0x64, 0x18,
0x96, 0xD0, 0x0F, 0x5E,0x44, 0x3E ]#
for i in range(len(enc)):
enc[i]^=0x23
v7 = 0
v9 = 0
v8 = 0
key="thisiskkk"
key1=[]
for i in range(len(key)):
key1.append(ord(key[i]))
v12=[0]*256
for i in range(256):
v12[i]=i
for j in range(256):
v3 = v7 + v12[j]
v7 = (key1[j % len(key1)] + v3) % 256
v12[j],v12[v7]=v12[v7],v12[j]
for k in range(len(enc)):
v9 = (v9 + 1) % 256
v8 = (v8 + v12[v9]) % 256
v12[v9],v12[v8]=v12[v8] ,v12[v9]
enc[k] ^= v12[(v12[v8] + v12[v9]) % 256]
print(bytes(enc))
m.update(bytes(enc))
print(m.hexdigest())
#DASCTF{9e1963bbbb1285b993c862a5a6f12604}
EZGO
这题划分为密码题更合适
go语言不好定位主函数,从字符串下手
跟着交叉应用来到main
// main.main
void __cdecl main_main()
{
__int128 v0; // xmm0
__int64 v1; // rcx
__int64 v2; // rax
__int64 i; // rdx
int v4; // ebx
__int64 v5; // rdx
__int64 v6; // [rsp+10h] [rbp-120h]
__int64 v7; // [rsp+18h] [rbp-118h]
__int64 v8; // [rsp+20h] [rbp-110h]
__int64 v9; // [rsp+28h] [rbp-108h]
__int64 v10; // [rsp+30h] [rbp-100h]
__int64 v11; // [rsp+38h] [rbp-F8h]
__int64 v12; // [rsp+40h] [rbp-F0h]
__int64 v13; // [rsp+48h] [rbp-E8h]
__int64 v14; // [rsp+58h] [rbp-D8h]
__int64 v15; // [rsp+60h] [rbp-D0h]
__int64 v16[3]; // [rsp+68h] [rbp-C8h] BYREF
char v17; // [rsp+80h] [rbp-B0h] BYREF
__int64 v18; // [rsp+88h] [rbp-A8h]
__int64 *v19; // [rsp+90h] [rbp-A0h]
__int64 v20[2]; // [rsp+98h] [rbp-98h] BYREF
__int64 v21[2]; // [rsp+A8h] [rbp-88h] BYREF
__int64 v22[2]; // [rsp+B8h] [rbp-78h] BYREF
__int64 v23[2]; // [rsp+C8h] [rbp-68h] BYREF
__int128 v24; // [rsp+D8h] [rbp-58h]
__int64 v25[2]; // [rsp+E8h] [rbp-48h] BYREF
__int128 v26; // [rsp+F8h] [rbp-38h]
__int64 v27; // [rsp+108h] [rbp-28h] BYREF
__int64 v28; // [rsp+110h] [rbp-20h]
__int64 v29[2]; // [rsp+118h] [rbp-18h]
while ( (unsigned __int64)&v17 <= *(_QWORD *)(*(_QWORD *)NtCurrentTeb()->NtTib.ArbitraryUserPointer + 16LL) )
runtime_morestack_noctxt();
v19 = (__int64 *)runtime_newobject((__int64)&RTYPE_string);
v22[0] = (__int64)&RTYPE__ptr_string;
v22[1] = (__int64)v19;
fmt_Fscanf(
(__int64)&go_itab__ptr_os_File_comma__ptr_io_Reader,
qword_59D908,
(__int64)"%s",
2LL,
(__int64)v22,
1LL,
1LL);
if ( v19[1] != 40 )
goto LABEL_10;
LOBYTE(v27) = 0;
v28 = 0LL;
v0 = 0LL;
*(_OWORD *)v29 = 0LL;
v1 = *v19;
v18 = *v19;
v2 = v19[1];
v15 = v2;
for ( i = 0LL; i < v2; i = v14 )
{
v4 = *(unsigned __int8 *)(v1 + i);
if ( (unsigned int)v4 >= 0x80 )
{
v4 = runtime_decoderune(v1, v2, i);
v5 = v8;
}
else
{
v5 = i + 1;
}
v14 = v5;
v11 = math_big_nat_shl(v28, v29[0], v29[1], v28, v29[0], v29[1], 8LL);
v29[0] = v12;
v29[1] = v13;
v28 = v11;
LOBYTE(v25[0]) = 0;
v25[1] = 0LL;
v26 = 0LL;
v6 = math_big__ptr_Int_SetInt64((__int64)v25, v4);
math_big__ptr_Int_Add((__int64)&v27, (__int64)&v27, v6);
v2 = v15;
v1 = v18;
v0 = 0LL;
}
LOBYTE(v23[0]) = 0;
v23[1] = 0LL;
v24 = v0;
math_big__ptr_Int_SetString(
(__int64)v23,
(__int64)"13145309456454850877228433642468099885703532627357198144609408341691751453534987676043709654743561019039155"
"6347148927592380050533193934285571983556924577144473815598516557161",
174LL,
10LL);
math_big__ptr_Int_Mul((__int64)&v27, (__int64)&v27, (__int64)&v27);
math_big__ptr_Int_Mod((__int64)&v27, (__int64)&v27, (__int64)v23);
v9 = math_big_nat_itoa(v28, v29[0], v29[1], v27, 10LL);
if ( (unsigned __int64)runtime_slicebytetostring((__int64)v16, v9, v10) == 173
&& runtime_memequal(
v7,
(__int64)"335292815327342949386143410478703216167666281141823200936009909834563601227041859559210120519180804495"
"87733939007294096845300395098833835443815283246602601870001850089370636",
173LL) )
{
v21[0] = (__int64)&RTYPE_string;
v21[1] = (__int64)&off_514208;
fmt_Fprintln((__int64)&go_itab__ptr_os_File_comma__ptr_io_Writer, qword_59D910, (__int64)v21, 1LL, 1LL);
}
else
{
LABEL_10:
v20[0] = (__int64)&RTYPE_string;
v20[1] = (__int64)&off_514218;
fmt_Fprintln((__int64)&go_itab__ptr_os_File_comma__ptr_io_Writer, qword_59D910, (__int64)v20, 1LL, 1LL);
}
}
应该读取字符串,判断其长度,
放在结构体里面比较合适
就是这个有点牛马,根据数组寻址公式,正在结构体中正好是len的位置,不知道为啥不翻译成v19->len!=40
果然还是伪代码
接着对变量进行改名,ida起的名字不好看
对循环的把握
v4是我们输入的的可见字符,不可能超过128所以if里面的直接不看
对v11进行查看,发现后面没有用到的地方,直接不看
这一段没用,不看
上网查询得知,SetInt64,把v4变为数字,返回v25=v4,
而add就更明显,参数1=参数2+参数3,也就是v27=v27+v6(也是v4)
Int-Setstring, 参数1以参数4为基数存储参数3位的参数2的字符串,由于参数4是10
我们理解v23=int(这些字符串)
Mul就是v27=v27*v27
mod就是v27=v27%v23
itoa把int转为字符串类型与下面的字符串进行比较
我一开始用z3解,跑不出,用angr结果电脑环境出问题了。
其实是Rabin算法,这才弄出来
EXP
from libnum import *
import gmpy2
c=33529281532734294938614341047870321616766628114182320093600990983456360122704185955921012051918080449587733939007294096845300395098833835443815283246602601870001850089370636
n=131453094564548508772284336424680998857035326273571981446094083416917514535349876760437096547435610190391556347148927592380050533193934285571983556924577144473815598516557161
e=2
q=17489158711316178659
p=7516261744453902635364442762653073356746063224482072262455102025715350278471780391042196223686233375846890331396948280463168691132631674699134296333350979
inv_p = gmpy2.invert(p, q)
inv_q = gmpy2.invert(q, p)
mp = pow(c, (p + 1) // 4, p)
mq = pow(c, (q + 1) // 4, q)
a = (inv_p * p * mq + inv_q * q * mp) % n
b = n - int(a)
c = (inv_p * p * mq - inv_q * q * mp) % n
d = n - int(c)
aa=[a,b,c,d]
for i in aa:
if b"DASCTF" in n2s(int(i)):
print(n2s(int(i)))
边栏推荐
- Reverse string
- Handan, Hebei: expand grassroots employment space and help college graduates obtain employment
- C language - pointer
- 中国能否在元宇宙的未来发展中取得突破,占领高地?
- Return and job management of saltstack
- Basic knowledge of C language
- Getting started with enterprise distributed crawler framework
- [C language] Pointer advanced knowledge points
- Longest Palindromic Substring
- 2、 Relationship between software operation and memory
猜你喜欢
KubeEdge发布云原生边缘计算威胁模型及安全防护技术白皮书
83.(cesium之家)cesium示例如何运行
9. Pointer of C language (3) classic program, exchange the value of two numbers for deep analysis, (easy to understand), are formal parameters and arguments a variable?
一文读懂如何部署具有外部数据库的高可用 K3s
How to automatically store email attachments in SharePoint
![[C language] Gobang game [array and function]](/img/73/1e708b0640c2dbc86393206840b059.png)
[C language] Gobang game [array and function]
Idea properties file display \u solution of not displaying Chinese
C+ + core programming
私有化部署的即时通讯平台,为企业移动业务安全保驾护航
Stories of Party members | Li qingai uses cartoons to drive farmers to increase income and become rich
随机推荐
2. Floating point number, the difference between float and double in C language and how to choose them
robobrowser的简单使用
Source insight project import and use tutorial
Circular linked list OJ question
English Translation Spanish - batch English Translation Spanish tools free of charge
XOR operation and its usage
A chip company fell in round B
English translation Arabic - batch English translation Arabic tools free of charge
Idea properties file display \u solution of not displaying Chinese
Design of air combat game based on qtgui image interface
跨区域网络的通信学习静态路由
C language - data type
JS preventdefault() keyboard input limit onmousewheel stoppropagation stop event propagation
C language function
English translation Portuguese - batch English conversion Portuguese - free translation and conversion of various languages
8. Compilation errors of C language and Chinese explanation
Return and job management of saltstack
Common APIs in string
9. Pointer of C language (1) what is pointer and how to define pointer variables
WFST decoding process